Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Funkcionalnosć tutoho sydła so přez wothladowanske dźěła wobmjezuje, kotrež maja waše dožiwjenje polěpšić. Jeli nastawk waš problem njerozrisuje a chceće prašenje stajić, wobroćće so na naše zhromodźenstwo pomocy, kotrež na to čaka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomhać.

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

CSP header blocks file download in iframe for Firefox only

more options

I am launching my website in an iframe. I am using the following CSP headers:

default-src 'self'; frame-ancestors: 'self'; img-src 'self' data:

I am trying to download a file from the client side using JavaScript:

var a = doc.createElement('a');

a.download ='download.pdf';

a.href = 'data:application/pdf;base64,' + pdfdata;

doc.body.appendChild(a);

a.onclick = function () {

   a.parentNode.removeChild(a);

};

a.click();

In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error:


Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”).


I am unable to understand why it’s failing only for Firefox.

I am launching my website in an iframe. I am using the following CSP headers: default-src 'self'; frame-ancestors: 'self'; img-src 'self' data: I am trying to download a file from the client side using JavaScript: var a = doc.createElement('a'); a.download ='download.pdf'; a.href = 'data:application/pdf;base64,' + pdfdata; doc.body.appendChild(a); a.onclick = function () { a.parentNode.removeChild(a); }; a.click(); In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error: Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”). I am unable to understand why it’s failing only for Firefox.

Wot Amjad Aziz změnjeny

Wšě wotmołwy (6)

more options

I'm not sure why a <a href> is giving this issue.

For images, for example, you could use

img-src 'self' data:;

to allow data URIs. But for links???

There is an experimental directive named

navigation-to

but it is not supposed to be used in production code per https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy. See also: Content Security Policy Level 3 Working Draft.

Of course data: is discouraged in default-src, script-src, and object-src as a potential vector for XSS attacks: https://www.w3.org/TR/CSP/#csp-directives

more options

If I launch my website outside of the iframe then it works fine on all browsers including Firefox. But when I launch it in iframe then it works fine for other browsers except Firefox. If I add new directive frame-src 'self' data:; to my CSP headers then it works fine for Firefox as well in iframe. But I am not sure why I have to use another directive for only Firefox when website is launched in iframe.

more options

Oh... it seems Firefox is assessing whether the frame can be navigated to the href of the link consistent with your default-src, even though the frame is not actually going to be navigated to the data URI because the link has the download attribute set.

You could check whether there is a bug on file for this: https://bugzilla.mozilla.org/

more options

For reference, bug created (confirmed): Bug 1365502 - CSP header blocks file download in iframe for Firefox only

more options

Just one quick question. Is it safe to use frame-src 'self' data:; from XSS attack ?

more options

I don't think it's safe. On the other hand, if it only causes Firefox to do what other browsers already do, I guess it is no less safe. But that's a big "if".