Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

CSP header blocks file download in iframe for Firefox only

Amjad Aziz
Amjad Aziz
more options

I am launching my website in an iframe. I am using the following CSP headers:

default-src 'self'; frame-ancestors: 'self'; img-src 'self' data:

I am trying to download a file from the client side using JavaScript:

var a = doc.createElement('a');

a.download ='download.pdf';

a.href = 'data:application/pdf;base64,' + pdfdata;

doc.body.appendChild(a);

a.onclick = function () { 

   a.parentNode.removeChild(a);

};

a.click();

In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error:


Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”).


I am unable to understand why it’s failing only for Firefox.

I am launching my website in an iframe. I am using the following CSP headers: default-src 'self'; frame-ancestors: 'self'; img-src 'self' data: I am trying to download a file from the client side using JavaScript: var a = doc.createElement('a'); a.download ='download.pdf'; a.href = 'data:application/pdf;base64,' + pdfdata; doc.body.appendChild(a); a.onclick = function () { a.parentNode.removeChild(a); }; a.click(); In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error: Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”). I am unable to understand why it’s failing only for Firefox.

Modified by Amjad Aziz

All Replies (6)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

I'm not sure why a <a href> is giving this issue.

For images, for example, you could use

img-src 'self' data:;

to allow data URIs. But for links???

There is an experimental directive named

navigation-to

but it is not supposed to be used in production code per https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy. See also: Content Security Policy Level 3 Working Draft.

Of course data: is discouraged in default-src, script-src, and object-src as a potential vector for XSS attacks: https://www.w3.org/TR/CSP/#csp-directives

Amjad Aziz
Amjad Aziz Question owner
more options

If I launch my website outside of the iframe then it works fine on all browsers including Firefox. But when I launch it in iframe then it works fine for other browsers except Firefox. If I add new directive frame-src 'self' data:; to my CSP headers then it works fine for Firefox as well in iframe. But I am not sure why I have to use another directive for only Firefox when website is launched in iframe.

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Oh... it seems Firefox is assessing whether the frame can be navigated to the href of the link consistent with your default-src, even though the frame is not actually going to be navigated to the data URI because the link has the download attribute set.

You could check whether there is a bug on file for this: https://bugzilla.mozilla.org/

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

For reference, bug created (confirmed): Bug 1365502 - CSP header blocks file download in iframe for Firefox only

Amjad Aziz
Amjad Aziz Question owner
more options

Just one quick question. Is it safe to use frame-src 'self' data:; from XSS attack ?

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

I don't think it's safe. On the other hand, if it only causes Firefox to do what other browsers already do, I guess it is no less safe. But that's a big "if".