frame-src is not effective in restricting the possible origins of subframes

[antosart]

As noticed here, since CSP sources match against the URL to be loaded and not against the origin, and since about:blank is always allowed by CSP, Content-Security-Policy: frame-src 'self' does not prevent child frames of the current document to have different origins than the document itself. For example, in the frame tree 1.A > 2.B > 3.B with origins A and B, the top-level A can always navigate the grandchild to about:blank, making it have origin A and resulting into the frame tree 1.A > 2.B > 3.A, even if 2.B comes with CSP: frame-src 'self'.

This might be surprising to web developers, who might assume in their security model that this would never happen. I wonder if it's something we'd want to change.

[qabandi]

+1 about:srcdoc too, see https://issues.chromium.org/issues/40052152

[NDevTK]

Well at least .srcdoc cant be set by a cross-origin embedder.

[NDevTK]

For context this CSP "bypass" was used in https://ndevtk.github.io/writeups/2024/09/19/drive/ without agreement not much can change. The chromium bug for this https://issues.chromium.org/338248596 is currently marked as a ExternalDependency.