本文介绍了哪些CSP子iframe从其父项继承?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个网页(比如origin = A),里面嵌入了一个iframe,从不同的域加载(比如说B)。 B从不同的域加载脚本脚本(各种CDN)。我的网页A设置了非常严格的CSP,如:

B没有设置任何CSP标题。

现在我希望子框架B能够继承A的CSP规则,并且尝试访问各种CDN应该违反其CSP,因为script-src'self',但令我惊讶的是,它工作顺利。



所以我的问题是:
CSP如何由子iframe继承?如果没有提及iframe的CSP,它是否依赖于其父框架的CSP?如果是,如何?是否有任何关于它的文档,我找不到任何具体的东西来解释上述情况。



有没有一种方法可以调试由子iframe继承的CSP ?从Chrome的调试器或FF的调试器 - 通过选择iframe,然后CSP的iframe会显示?

解决方案

不是。也就是说,不是在一般情况下(问题中的来自不同域的加载)。

但是还有其他方法来填充 iframe ,并且CSP在这些情况下工作不同(见下文)。

不,它不适用于常见情况(
$ b

是的,请参阅,其中表示: :通过 iframe , object 或嵌入的任何资源。



除非e mbedded资源是全局唯一标识符(或 srcdoc iframe),嵌入式资源由随资源一起提供的策略控制。如果嵌入式资源是全局唯一标识符或 srcdoc iframe,它将继承创建它的上下文策略。


全局唯一标识符是 data: URL或其他类型的URL,它不是分层URL,例如 https / http URL。

所以常见的情况问题中来自不同域的负载)是嵌入式资源受资源交付策略控制的情况 - 也就是说,它不会继承。



<相反,如果 iframe 是 srcdoc iframe,则情况会非常不同,并且:


B doesn't set any CSP headers.

Now I would expect the child frame, B, to inherit the CSP rules of A and trying to access various CDNs should be a violation of its CSP because of script-src 'self' but to my surprise, it works smoothly.

So my question is:How CSP is inherited by child iframes ? Does it depend on its parent frame's CSP if CSP for iframe is not mentioned ? If yes, how ? Is there any documentation somewhere about it, I couldn't find anything specific that would explain the situation above.

Is there a way I can debug the CSP inherited by child iframes ? From Chrome's debugger or FF's debugger - by selecting the iframe and then CSP for the iframe would show up ?

解决方案

It’s not. That is, not in the common case (the "loads from a different domain" case in the question).

But there are other ways to populate iframe, and CSP works different in those cases (see below).

No, it doesn’t for the common case (the "loads from a different domain" case given in the question).

Yes, see the Policy applicability section of the CSP2 specification, which says this:

A "globally unique identifier" is something with a data: URL or other kind of URL that’s not a hierarchical URL such an https/http URL.

So the common case (described as "loads from a different domain" in the question) is a "embedded resource is controlled by the policy delivered with the resource" case—that is, it doesn’t inherit.

In contrast, if the iframe is a srcdoc iframe, the case is very different and the spec says:

That is a srcdoc iframe does inherit its parent’s CSP policy.

这篇关于哪些CSP子iframe从其父项继承?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-21 21:21