Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.7k views
in Technique[技术] by (71.8m points)

cordova - Content Security Policy frame-ancestors incorrectly blocks on safari from filesystem

I am developing a cordova app for android & ios when I noticed that the iframe used in my app was not loading correctly on ios. As it turns out, although the frame-ancestors HTTP header was correctly set from the web server, safari will incorrectly refuse to load the iframe if opened through the filesystem.

Refused to load http://to-delete-test.azurewebsites.net/ because it does not appear in the frame-ancestors directive of the Content Security Policy.

The CSP Header from the test page is:

Content-Security-Policy: frame-ancestors * data: blob: filesystem: about: ws: wss:

An example HTML file that shows this error (must be loaded from a filesystem):

<!DOCTYPE html>
<html lang="en">
<head>
    <style>
        * {
            margin: 0; padding: 0; box-sizing: border-box;
        }
        iframe {
            height: 100vh; width: 100%;
        }
    </style>
</head>
<body>
    <iframe src="http://to-delete-test.azurewebsites.net"></iframe>
</body>
</html>
question from:https://stackoverflow.com/questions/65837408/content-security-policy-frame-ancestors-incorrectly-blocks-on-safari-from-filesy

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

After additional info in comments the situation becomes clear. Due to security reasons the file:-URLs like file:///path/to/file/index.html are prohibited to be opened in nested browsing context (iframe, object, embed) regardless of CSP. Also <a href='file:///path/to/file/index.html'> is prohibited to navigate.

You cannot get around this limitation by using CSP. Moreover, the frame-ancestors directive does not supports non-network schemes for it loses its meaning.

Also looks like the console message shown belongs Safari and it's misleading a little bit. Chrome should show real violation reason like: Refused to load iframe file:///path/to/file/index.html because it violates the following Content Security Policy directive:....

Note. Chrome browser allows to access local filesystem using file:/// scheme in case of loading images/styles/scripts etc:

<img src='file:///c:/img.png'>
<script src='file:///c:/scripr.js'></script>
<link rel='stylesheet' href='file:///c:/style.css'>

and even supports the file: scheme in CSP.
But AFAIK browser extensions should not use direct access via file:///-URLs. Extensions have to use own packaged resources or the File API


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...