Om de ûnderfining foar jo te ferbetterjen is tydlik de funksjonaliteit dan dizze website troch ûnderhâldswurk beheind. Wannear in artikel jo probleem net oplost en jo in fraach stelle wolle, kin ús stipemienskip jo helpe yn @FirefoxSupport op Twitter en /r/firefox op Reddit.

Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

CSP header blocks file download in iframe for Firefox only

more options

I am launching my website in an iframe. I am using the following CSP headers:

default-src 'self'; frame-ancestors: 'self'; img-src 'self' data:

I am trying to download a file from the client side using JavaScript:

var a = doc.createElement('a');

a.download ='download.pdf';

a.href = 'data:application/pdf;base64,' + pdfdata;

doc.body.appendChild(a);

a.onclick = function () {

   a.parentNode.removeChild(a);

};

a.click();

In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error:


Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”).


I am unable to understand why it’s failing only for Firefox.

I am launching my website in an iframe. I am using the following CSP headers: default-src 'self'; frame-ancestors: 'self'; img-src 'self' data: I am trying to download a file from the client side using JavaScript: var a = doc.createElement('a'); a.download ='download.pdf'; a.href = 'data:application/pdf;base64,' + pdfdata; doc.body.appendChild(a); a.onclick = function () { a.parentNode.removeChild(a); }; a.click(); In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error: Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”). I am unable to understand why it’s failing only for Firefox.

Bewurke troch Amjad Aziz op

Alle antwurden (6)

more options

I'm not sure why a <a href> is giving this issue.

For images, for example, you could use

img-src 'self' data:;

to allow data URIs. But for links???

There is an experimental directive named

navigation-to

but it is not supposed to be used in production code per https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy. See also: Content Security Policy Level 3 Working Draft.

Of course data: is discouraged in default-src, script-src, and object-src as a potential vector for XSS attacks: https://www.w3.org/TR/CSP/#csp-directives

more options

If I launch my website outside of the iframe then it works fine on all browsers including Firefox. But when I launch it in iframe then it works fine for other browsers except Firefox. If I add new directive frame-src 'self' data:; to my CSP headers then it works fine for Firefox as well in iframe. But I am not sure why I have to use another directive for only Firefox when website is launched in iframe.

more options

Oh... it seems Firefox is assessing whether the frame can be navigated to the href of the link consistent with your default-src, even though the frame is not actually going to be navigated to the data URI because the link has the download attribute set.

You could check whether there is a bug on file for this: https://bugzilla.mozilla.org/

more options

For reference, bug created (confirmed): Bug 1365502 - CSP header blocks file download in iframe for Firefox only

more options

Just one quick question. Is it safe to use frame-src 'self' data:; from XSS attack ?

more options

I don't think it's safe. On the other hand, if it only causes Firefox to do what other browsers already do, I guess it is no less safe. But that's a big "if".