Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Content-security-policy bug

See original GitHub issue

Bug Report

Child iframe in remotely-hosted iframe within cordova app doesn’t load, despite appropriate Content-Security-Policy http header in child iframe. Bug reproduction repository here: https://github.com/blukis/bugdemo-cordova-android-issue-560/

Problem

Child iframe in remotely-hosted iframe within cordova app doesn’t load, despite Content-Security-Policy http header in child iframe.

What is expected to happen?

Inner-iframe (iframe border colored blue) is expected to load.

What does actually happen?

Inner-iframe (iframe border colored blue) doesn’t load, and appears blank.

Information

Chrome debug console reports…

Refused to display ‘http://201x.plurib.us/test/2018/content-security-inner.php’ in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors *”

Command or Code

Build the app (I’m using PhoneGap build, because cordova-proper is beyond my expertise). Bug manifests on initial state of the app when it’s run.

Environment, Platform, Device

Android

Version information

Phonegap build, using cli-9.0.0

Checklist

  • I searched for existing GitHub issues
  • [?] I updated all Cordova tooling to most recent version
  • I included all the necessary information above

--------

Original post…

I believe I found an issue with content-security-policy in cordova environment…

I have an app that includes this page in an iframe: “http://201x.plurib.us/test/2018/content-security-outer.html”, which in turn includes this page in another iframe “http://201x.plurib.us/test/2018/content-security-inner.php”. (Note: these are very short pages created to debug this issue. The original page causing the issue was a shopify checkout page, found in the comments of “…outer.html”.)

“…inner.php” includes this http header: Content-Security-Policy: frame-ancestors *

“…outer.html” (and its inner iframe) loads OK in Chrome on Android, but when included the url in a cordova app, “…inner.php” iframe does not load. (Note: app has “cordova-plugin-whitelist” plugin and <access origin="*" />).

When I enable android debugging and check the remote device console in Chrome, I see this error in the Chrome console:

Refused to display ‘http://201x.plurib.us/test/2018/content-security-inner.php’ in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors *”.

Maybe I’m missing something, but I’m not sure how anything could fail to pass “frame-ancestors *”. Is it a cordova issue? Thanks!

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:6
  • Comments:18 (7 by maintainers)

github_iconTop GitHub Comments

4reactions
exxbraincommented, Sep 15, 2019

Another case is submitting a form to an iframe:

	<form action="http://www.ralfinter.ru/csp_test.php" target="iframe" method="post" >
		<input type="submit"/>
	</form>
	<iframe name="iframe" width="400" height="400"><iframe>

“Origin” header is “null”. Screenshot 2019-09-15 at 17 45 22 The result is the same error.

3reactions
breautekcommented, Sep 23, 2019

I’ve looked into this a bit deeper, and creating my own test server to use as the CSP policy must come from http headers for frame-ancestors.

I’ve ran tests both on Cordova & Desktop.

Desktop appears to run fine, including when the page is loaded through the file:// protocol (ie just opening a html page from the filesystem). Mobile appears to disallow this. The protocol must not be file:// in my tests. Which means the page needs to be loaded from a place other than the file system. This is a problem with the default webview provided by Cordova as files are… loaded from the filesystem directly.

A proof case is to have the following inside your config.xml

...
<content src="http://remote.example.com/outer.html" />

Here, the app content outer.html will be loaded from the webserver, and location.origin will have a http:// origin path. The CSP policy will behave properly in this case. Do note that this config IS NOT recommended if you use cordova APIs and plugins due to app store policies regarding executing native APIs remotely. This is just for proof that frame-ancestors CSP works under a http origin vs file origin.

I don’t know if this is an issue Cordova will fix, but basically using frame-ancestors CSP rules will not work with the default android webview.

Any Workarounds?

I have tested the Ionic Webview with this, I know this webview provides some kind of proxy support so that files are not “loaded” from the filesystem and is instead loaded through the http/s protocol (or whatever Scheme you choose… And frame-ancestors CSP policy does appear to work properly using the ionic webview due to their scheme implementation.

Note that I am not very familiar with the Ionic webview and any questions specifically about the webview I probably cannot answer, but I do know that even though it’s made by Ionic, you don’t need to use the ionic framework to use the webview.

I’ve provided a screenshot of the reproduction repo using the ionic webview.

87a67a60-4e78-44ec-aea7-09250d221df8

And my changes can be found here

Read more comments on GitHub >

github_iconTop Results From Across the Web

Content Security Policy (CSP) Not Implemented - Invicti
A Content Security Policy (CSP) Not Implemented is an attack that is similar to a Server-Side Template Injection (JinJava) that -level severity.
Read more >
Why CSP - Content Security Policy
The primary benefit of CSP is preventing the exploitation of cross-site scripting vulnerabilities. When an application uses a strict policy, an attacker who ......
Read more >
Content security policy | Web Security Academy - PortSwigger
It works by restricting the resources (such as scripts and images) that a page can load and restricting whether a page can be...
Read more >
Content Security Policy (CSP) - HTTP - MDN Web Docs
Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...
Read more >
How do I fix Content Security Policy bugs? - Stack Overflow
The first script doesn't violate the Content Security Policy. The policy says: script-src 'unsafe-eval' 'unsafe-inline' data:;.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

androidx

Next page

ERR_INVALID_ARG_TYPE after android@7.1.2 update