Problem: When a web server responds with the header
Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
this appears to cause Chromium to add the header
Sec-Fetch-Site: cross-site
when requesting the stylesheet from the same origin (and directory) as the containing html page. Instead, it is expected that the above CSP cause the browser to submit Sec-Fetch-Site: same-origin
.
To reproduce using nginx+Chromium:
Add the following 4 lines to a location
directive in an nginx config file:
add_header Content-Security-Policy "sandbox; default-src 'none'; img-src 'self'; style-src 'self';";
if ($http_sec_fetch_site = 'cross-site') {
return 403;
}
Serve the following 2 static files report.html
and report.css
from that location.
report.html
:
<!DOCTYPE html>
<html>
<head>
<title>Report</title>
<link rel="stylesheet" href="report.css">
</head>
<body>
<h1>Report</h1>
</body>
</html>
and
report.css
:
body { font-family: sans-serif }
Here are screenshots of both the report.html
and subsequent report.css
requests with the Developer tools Network window:
Note that the request for report.css
is 403 Forbidden
due to the incorrect Sec-Fetch-Site: cross-site
header in the request.
Question: Why is Chromium submitting Sec-Fetch-Site: cross-site
for a file that should be same-origin
based on the given CSP which allows same-origin stylesheets?
Note: If it seems the issue is not being reproduced, verify that the following header is seen in the server response when report.html
is requested:
Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';
in order to set the CSP for the subsequent request for report.css
.
Chromium Version 113.0.5672.126 (Official Build) Arch Linux (64-bit)