Skip to content

frame-src doesn't respect the nonce attribute #16766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rullzer merged 1 commit into from
Aug 19, 2019
Merged

frame-src doesn't respect the nonce attribute #16766

rullzer merged 1 commit into from
Aug 19, 2019

Conversation

@rullzer
Copy link
Member

@rullzer rullzer commented Aug 16, 2019

Signed-off-by: Roeland Jago Douma [email protected]

@rullzer rullzer added the 2. developing Work in progress label Aug 16, 2019
@rullzer rullzer added this to the Nextcloud 17 milestone Aug 16, 2019
@rullzer rullzer mentioned this pull request Aug 18, 2019
Merged
@rullzer rullzer added 3. to review Waiting for reviews bug and removed 2. developing Work in progress labels Aug 18, 2019
@kesselb
Copy link
Contributor

kesselb commented Aug 18, 2019

Hmm. Code looks good. As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src nonce is supported 😕

@juliusknorr
Copy link
Member

juliusknorr commented Aug 19, 2019

@kesselb Probably a copy-paste issue since the description of the nonce seems to be related to inline scripts: "A whitelist for specific inline scripts..." At least firefox and chrome don't respect the nonce on frames.

@rullzer
Copy link
Member Author

rullzer commented Aug 19, 2019

@kesselb yeah it is listed everywhere (see for example also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src ) but doesn't work yet...

@rullzer rullzer merged commit e6c225a into master Aug 19, 2019
@rullzer rullzer deleted the fix/frame-src/no-nonce branch August 19, 2019 07:22
@kesselb
Copy link
Contributor

kesselb commented Aug 19, 2019
edited
Loading

Probably a copy-paste issue since the description of the nonce seems to be related to inline scripts

image

Indeed. They included the sources from "default-src" for "img-src" and "frame-src" 🤷‍♂️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@skjnldsv skjnldsv skjnldsv approved these changes

@georgehrke georgehrke Awaiting requested review from georgehrke

@kesselb kesselb Awaiting requested review from kesselb

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug

Projects

None yet

Milestone

Nextcloud 17

Development

Successfully merging this pull request may close these issues.

5 participants

@rullzer @kesselb @juliusknorr @skjnldsv