paragonie / csp-builder

Build Content-Security-Policy headers from a JSON file (or build them programmatically)

Home Page:https://paragonie.com/projects

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support frame-src for compatibility with WebKit (CSP 1)

ScottHelme opened this issue · comments

The frame-src directive is deprecated in CSP 2 and is replaced by child-src which is correctly supported by csp-builder. Unfortunately, this will result in WebKit based browsers which only support CSP 1 falling back to default-src for nested browsing contexts, which could cause unexpected behaviour.

https://github.com/paragonie/csp-builder/blob/master/src/CSPBuilder.php#L85

In order to support WebKit you should allow a user to specify the frame-src directive. If the user does not specify a frame-src directive, the value of the child-src directive could be duplicated in the frame-src directive. There isn't really a downside apart from some header bloat and it results in support for WebKit based browsers like Safari and Edge.

@troyhunt experienced the issue and I assisted in debugging it: http://www.troyhunt.com/2015/10/how-to-break-your-site-with-content.html

commented

There isn't really a downside apart from some header bloat

I could easily make that configuration option (default to bloat-but-compatible, but let people elect to turn that off).

commented

This has been implemented and will be included in 1.1.0 once I'm confident that it has been adequately fixed. Once again, thank you for letting me know about these quirks! 👍