admin管理员组文章数量:1395900
Consider the following code:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="content-security-policy" content="frame-src 'self';" />
<title>Outer!</title>
</head>
<body>
<p>Outer</p>
<iframe srcdoc="<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Middle in srcdoc</title>
</head>
<body>
<p>Middle</p>
<iframe src="inner.html"></iframe>
</body>
</html>"></iframe>
</body>
</html>
and
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Inner</title>
</head>
<body>Inner</body>
</html>
Set both on the same server, port etc. Now we have an iframe. This contains page via srcdoc, and that one does contain another page via normal src-aatribute. The middle page inherits correctly the CSP from the outer page. In chrome we see all three layers, but in firefox the inner gets blocked by CSP. Apparently it does not know what 'self' is anymore. This seems to be a almost a bug in firefox or at least a strange quirk. Any ideas how to handle this?
本文标签: content security policyCSP blocks iframe in iframe in firefoxStack Overflow
版权声明:本文标题:content security policy - CSP blocks iframe in iframe in firefox - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744648861a2617564.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论