Is it possible that the CSP only applies to the parent frame and not the iframe?

Question

Is it possible that the CSP only applies to the parent frame and not the iframe?

If I have a webpage with a CSP set to:

default-src 'self'; img-src *

Or similar and I have an iframe like:

some legal content
<iframe sandbox="allow-scripts" srcdoc="&lt;script>alert('arbitrary code')&lt;/script>"></iframe>

Is it possible to allow code in an iframe to ignore the parent CSP frame and allow inline scripts / styles, content from other domains, or any other arbitrary HTML thing that does not violate the sandbox restrictions?

Currently this will give:

[Error] Inline script was denied execution because it violates the following content security policy directive: "default-src" self. Note that 'script -src' was not explicitly set, so 'default-src' is used as a fallback. (about: srcdoc, line 1)

the CSP specification confirms that this is the correct behavior:

Whenever the user agent creates a iframe

srcdoc

document in the viewing context attached to the protected resource, if the user agent applies any for a protected resource, the user agent MUST enforce those in the document iframe

srcdoc

.

+3

html iframe content-security-policy sandbox

bjb568 May 24 '15 at 21:47

source to share

1 answer

anthonyryan1 · Accepted Answer · 2015-05-25T23:29:49+0000

It's impossible.

There are only two ways to accomplish what you need:

Change the CSP rules of the parent page to an arbitrary code whitelist (I would suggest using a CSP nonce or hash for your arbitrary content, not the unsafe inline).
Place your iframe on an external (secondary) domain with rules you can control and whitelist them with frame-src

and child-src

(see # 1).

Is it possible that the CSP only applies to the parent frame and not the iframe?

More articles: