All geek questions in one place

IFrame Sandbox with Content Security Policy

I assume this is just a simple misunderstanding of the specification. However, I had a problem with including scripts in iFrames protected by a sandbox. In particular, the code I'm talking about is below.

In top.html:

<iframe src="framed.html" sandbox="allow-scripts"></iframe>

In framed.html

...
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src example.com">
  <script src="http://example.com/script.js"></script>
</head>
...

When running this file in Chrome, it gives me an error:

Refused to download the script ' http://example.com/script.js ' because it violates the following content security policy directive: "script -src localhost: 9000".

script? , allow-same-origin iFrame , . script-src 'self' . , script , CSP. ?

: JSFiddle, .

+4
1

, CSP, . script -src https://example.com script -src http://example.com script -src https://example.com https://example.com, CSP ( , CSP , ).

CSP , CSP :

; Schemes: "https:" / "custom-scheme:" / "another.custom-scheme:"
scheme-source = scheme-part ":"

; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
scheme-part = scheme
              ; scheme is defined in section 3.1 of RFC 3986.
host-part   = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char   = ALPHA / DIGIT / "-"
port-part   = ":" ( 1*DIGIT / "*" )
path-part   = path-abempty
              ; path-abempty is defined in section 3.3 of RFC 3986.

allow-same-origin null, URL- ( , ):

6.6.1.6. url ? URL- (url), (), () ( ), "", url , " " .

...

-:

  1. URL- null, " " .

    • URL- null, " " .

    • , " " , :

      • - URL-.
      • - "http", URL- - "https", "ws" "wss".
      • - "https", URL- - "wss".

:

  • origin null (- sandbox allow-same-origin).
  • url http://example.com/script.js

null , URL-, .

+6

Source: https://habr.com/ru/post/1545997/

More articles:


All Articles