cordova - Content Security Policy frame-ancestors incorrectly blocks on safari from filesystem

Question

I am developing a cordova app for android & ios when I noticed that the iframe used in my app was not loading correctly on ios. As it turns out, although the frame-ancestors HTTP header was correctly set from the web server, safari will incorrectly refuse to load the iframe if opened through the filesystem.

Refused to load http://to-delete-test.azurewebsites.net/ because it does not appear in the frame-ancestors directive of the Content Security Policy.

The CSP Header from the test page is:

Content-Security-Policy: frame-ancestors * data: blob: filesystem: about: ws: wss:

An example HTML file that shows this error (must be loaded from a filesystem):

<!DOCTYPE html>
<html lang="en">
<head>
    <style>
        * {
            margin: 0; padding: 0; box-sizing: border-box;
        }
        iframe {
            height: 100vh; width: 100%;
        }
    </style>
</head>
<body>
    <iframe src="http://to-delete-test.azurewebsites.net"></iframe>
</body>
</html>

question from:https://stackoverflow.com/questions/65837408/content-security-policy-frame-ancestors-incorrectly-blocks-on-safari-from-filesy

Answer 1

After additional info in comments the situation becomes clear. Due to security reasons the file:-URLs like file:///path/to/file/index.html are prohibited to be opened in nested browsing context (iframe, object, embed) regardless of CSP. Also <a href='file:///path/to/file/index.html'> is prohibited to navigate.

You cannot get around this limitation by using CSP. Moreover, the frame-ancestors directive does not supports non-network schemes for it loses its meaning.

Also looks like the console message shown belongs Safari and it's misleading a little bit. Chrome should show real violation reason like: Refused to load iframe file:///path/to/file/index.html because it violates the following Content Security Policy directive:....

Note. Chrome browser allows to access local filesystem using file:/// scheme in case of loading images/styles/scripts etc:

<img src='file:///c:/img.png'>
<script src='file:///c:/scripr.js'></script>
<link rel='stylesheet' href='file:///c:/style.css'>

and even supports the file: scheme in CSP.
But AFAIK browser extensions should not use direct access via file:///-URLs. Extensions have to use own packaged resources or the File API