Content-Security-Policy & iframe src

[Wilks, Dan]

Hi,

Sorry if this is the wrong place to ask, feel free to redirect me to a more appropriate list.

We’re applying Content-Security-Policy to our site and Firefox is applying the Content-Security-Policy of the page to the contents an iframe loaded with src attribute.

I see that the CSP2 spec indicates that iframe srcdoc must be processed using the document’s CSP but couldn’t find anything about iframes loaded from external sites.

Of course Chrome happily ignores the document’s CSP when loading the iframe contents. I was just wondering if this was expected behavior, the interpretation of an silent spec, an oversight, bug?

Many thanks

[Wilks, Dan]

> We’re applying Content-Security-Policy to our site and Firefox is applying the Content-Security-Policy of the page to the contents an iframe loaded with src attribute.

Please forgive a Friday brain fart. After digging some more I found that request was indeed buried deep within the outer page. The request was through doubleclick which is also more visibly included in the iframe. And for some reason my csp reporter doesn’t seem to be working today so I couldn’t easily find the referrer.

Cheers