为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

CSP header blocks file download in iframe for Firefox only

more options

I am launching my website in an iframe. I am using the following CSP headers:

default-src 'self'; frame-ancestors: 'self'; img-src 'self' data:

I am trying to download a file from the client side using JavaScript:

var a = doc.createElement('a');

a.download ='download.pdf';

a.href = 'data:application/pdf;base64,' + pdfdata;

doc.body.appendChild(a);

a.onclick = function () {

   a.parentNode.removeChild(a);

};

a.click();

In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error:


Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”).


I am unable to understand why it’s failing only for Firefox.

I am launching my website in an iframe. I am using the following CSP headers: default-src 'self'; frame-ancestors: 'self'; img-src 'self' data: I am trying to download a file from the client side using JavaScript: var a = doc.createElement('a'); a.download ='download.pdf'; a.href = 'data:application/pdf;base64,' + pdfdata; doc.body.appendChild(a); a.onclick = function () { a.parentNode.removeChild(a); }; a.click(); In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error: Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”). I am unable to understand why it’s failing only for Firefox.

由Amjad Aziz于修改

所有回复 (6)

more options

I'm not sure why a <a href> is giving this issue.

For images, for example, you could use

img-src 'self' data:;

to allow data URIs. But for links???

There is an experimental directive named

navigation-to

but it is not supposed to be used in production code per https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy. See also: Content Security Policy Level 3 Working Draft.

Of course data: is discouraged in default-src, script-src, and object-src as a potential vector for XSS attacks: https://www.w3.org/TR/CSP/#csp-directives

more options

If I launch my website outside of the iframe then it works fine on all browsers including Firefox. But when I launch it in iframe then it works fine for other browsers except Firefox. If I add new directive frame-src 'self' data:; to my CSP headers then it works fine for Firefox as well in iframe. But I am not sure why I have to use another directive for only Firefox when website is launched in iframe.

more options

Oh... it seems Firefox is assessing whether the frame can be navigated to the href of the link consistent with your default-src, even though the frame is not actually going to be navigated to the data URI because the link has the download attribute set.

You could check whether there is a bug on file for this: https://bugzilla.mozilla.org/

more options

For reference, bug created (confirmed): Bug 1365502 - CSP header blocks file download in iframe for Firefox only

more options

Just one quick question. Is it safe to use frame-src 'self' data:; from XSS attack ?

more options

I don't think it's safe. On the other hand, if it only causes Firefox to do what other browsers already do, I guess it is no less safe. But that's a big "if".