Propagate parent policy container to local iframes (#36710)

This follows the rules as defined in https://w3c.github.io/webappsec-csp/#security-inherit-csp where local iframes (about:blank and about:srcdoc) should initially start with the CSP rules of the parent. After that, all new CSP headers should only be set on the policy container of the iframe. Part of #36437 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-07-22 23:03:42 +01:00 · 2025-05-03 10:47:40 +02:00 · 2025-05-03 10:47:40 +02:00 · 539ca27284
commit 539ca27284
parent 4164f76769
11 changed files with 45 additions and 47 deletions
--- a/components/script/dom/htmliframeelement.rs
+++ b/components/script/dom/htmliframeelement.rs
@ -279,6 +279,7 @@ impl HTMLIFrameElement {
                Some(document.insecure_requests_policy()),
                document.has_trustworthy_ancestor_or_current_origin(),
            );
+            load_data.policy_container = Some(window.as_global_scope().policy_container());
            let element = self.upcast::<Element>();
            load_data.srcdoc = String::from(element.get_string_attribute(&local_name!("srcdoc")));
            self.navigate_or_reload_child_browsing_context(
@ -361,7 +362,7 @@ impl HTMLIFrameElement {
            None
        };

-        let load_data = LoadData::new(
+        let mut load_data = LoadData::new(
            LoadOrigin::Script(document.origin().immutable().clone()),
            url,
            creator_pipeline_id,
@ -378,6 +379,10 @@ impl HTMLIFrameElement {
        let is_about_blank =
            pipeline_id.is_some() && pipeline_id == self.about_blank_pipeline_id.get();

+        if is_about_blank {
+            load_data.policy_container = Some(window.as_global_scope().policy_container());
+        }
+
        let history_handling = if is_about_blank {
            NavigationHistoryBehavior::Replace
        } else {
@ -407,7 +412,7 @@ impl HTMLIFrameElement {
        let document = self.owner_document();
        let window = self.owner_window();
        let pipeline_id = Some(window.pipeline_id());
-        let load_data = LoadData::new(
+        let mut load_data = LoadData::new(
            LoadOrigin::Script(document.origin().immutable().clone()),
            url,
            pipeline_id,
@ -417,6 +422,7 @@ impl HTMLIFrameElement {
            Some(document.insecure_requests_policy()),
            document.has_trustworthy_ancestor_or_current_origin(),
        );
+        load_data.policy_container = Some(window.as_global_scope().policy_container());
        let browsing_context_id = BrowsingContextId::new();
        let webview_id = window.window_proxy().webview_id();
        self.pipeline_id.set(None);