CSP header blocks file download in iframe for Firefox only
I am launching my website in an iframe. I am using the following CSP headers:
default-src 'self'; frame-ancestors: 'self'; img-src 'self' data:
I am trying to download a file from the client side using JavaScript:
var a = doc.createElement('a');
a.download ='download.pdf';
a.href = 'data:application/pdf;base64,' + pdfdata;
doc.body.appendChild(a);
a.onclick = function () {
a.parentNode.removeChild(a);
};
a.click();
In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error:
Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”).
I am unable to understand why it’s failing only for Firefox.
Wot Amjad Aziz
Wšě wotmołwy (6)
I'm not sure why a <a href> is giving this issue.
For images, for example, you could use
img-src 'self' data:;
to allow data URIs. But for links???
There is an experimental directive named
navigation-to
but it is not supposed to be used in production code per https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy. See also: Content Security Policy Level 3 Working Draft.
Of course data: is discouraged in default-src, script-src, and object-src as a potential vector for XSS attacks: https://www.w3.org/TR/CSP/#csp-directives
If I launch my website outside of the iframe then it works fine on all browsers including Firefox. But when I launch it in iframe then it works fine for other browsers except Firefox. If I add new directive frame-src 'self' data:; to my CSP headers then it works fine for Firefox as well in iframe. But I am not sure why I have to use another directive for only Firefox when website is launched in iframe.
Oh... it seems Firefox is assessing whether the frame can be navigated to the href of the link consistent with your default-src, even though the frame is not actually going to be navigated to the data URI because the link has the download attribute set.
You could check whether there is a bug on file for this: https://bugzilla.mozilla.org/
For reference, bug created (confirmed): Bug 1365502 - CSP header blocks file download in iframe for Firefox only
Just one quick question. Is it safe to use frame-src 'self' data:; from XSS attack ?
I don't think it's safe. On the other hand, if it only causes Firefox to do what other browsers already do, I guess it is no less safe. But that's a big "if".