2

We are working on a web project where the Content Security Policies are enforced via HTTP headers and via meta tags as well. There is a default set of properties which are a part of the HTTP header and each page specifies the additional policies by means of a meta tag in the document header.

One of the page in the project loads content inside an iframe. The Content-Security-Policy in the HTTP header for that page is

Content-Security-Policy: frame-src *;

and the page has the following meta tag in it's document header

<meta http-equiv="Content-Security-Policy" content="default-src none;"/>

It is mentioned in the MDN Web Docs that the fallback order is frame-src -> child-src -> default-src. In-spite of setting frame-src in the HTTP header, I get the following error message in the browser console (Tried on Google Chrome and Microsoft Edge):

Refused to frame '<url here>' because it violates the following Content Security Policy directive: "default-src none". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Also,

Moving both the policies either to the HTTP header or to the meta tag works as expected

Sohail Rajdev
  • 23
  • 1
  • 4
  • See the answer at https://stackoverflow.com/a/51153816/441757 – sideshowbarker Feb 29 '20 at 14:52
  • @sideshowbarker Yes. I saw that answer earlier. That does not explain the fact that the fallback policy can be chosen if the actual policy is not present at the second place (meta tag in my case). To be more clear, since there was a `frame-src *` in the HTTP header in my case but there was no corresponding policy in the meta tag, so a fallback `default-src` was chosen. Barry's answer below helped me to understand this better. Thanks :) – Sohail Rajdev Feb 29 '20 at 15:09
  • What is the question? – Owl Feb 29 '20 at 15:15

1 Answers1

5

The more general page above that frame-src one on Content Security Policy explains what you are seeing:

Multiple content security policies

CSP allows multiple policies being specified for a resource, including via the Content-Security-Policy header, the Content-Security-Policy-Report-Only header and a <meta> element.

You can use the Content-Security-Policy header more than once... Adding additional policies can only further restrict the capabilities of the protected resource.

So with multiple CSPs, it’s like all of them are in play and not, as you seem to want, that they are combined into one combined policy. So in your example, you effectively have frame-src set to none (since you have a default-src and no specific override for frame-src) so opening it up later does not work.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92