Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

CSP header blocks file download in iframe for Firefox only

more options

I am launching my website in an iframe. I am using the following CSP headers:

default-src 'self'; frame-ancestors: 'self'; img-src 'self' data:

I am trying to download a file from the client side using JavaScript:

var a = doc.createElement('a');

a.download ='download.pdf';

a.href = 'data:application/pdf;base64,' + pdfdata;

doc.body.appendChild(a);

a.onclick = function () {

   a.parentNode.removeChild(a);

};

a.click();

In Chrome & IE, the file is being downloaded successfully. But for Firefox I see the following CSP error:


Content Security Policy: The page’s settings blocked the loading of a resource at data:application/pdf;base64,JVBERi0xLjcK... (“default-src self”).


I am unable to understand why it’s failing only for Firefox.

Modified by Amjad Aziz

All Replies (6)

more options

I'm not sure why a <a href> is giving this issue.

For images, for example, you could use

img-src 'self' data:;

to allow data URIs. But for links???

There is an experimental directive named

navigation-to

but it is not supposed to be used in production code per https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy. See also: Content Security Policy Level 3 Working Draft.

Of course data: is discouraged in default-src, script-src, and object-src as a potential vector for XSS attacks: https://www.w3.org/TR/CSP/#csp-directives

more options

If I launch my website outside of the iframe then it works fine on all browsers including Firefox. But when I launch it in iframe then it works fine for other browsers except Firefox. If I add new directive frame-src 'self' data:; to my CSP headers then it works fine for Firefox as well in iframe. But I am not sure why I have to use another directive for only Firefox when website is launched in iframe.

more options

Oh... it seems Firefox is assessing whether the frame can be navigated to the href of the link consistent with your default-src, even though the frame is not actually going to be navigated to the data URI because the link has the download attribute set.

You could check whether there is a bug on file for this: https://bugzilla.mozilla.org/

more options

For reference, bug created (confirmed): Bug 1365502 - CSP header blocks file download in iframe for Firefox only

more options

Just one quick question. Is it safe to use frame-src 'self' data:; from XSS attack ?

more options

I don't think it's safe. On the other hand, if it only causes Firefox to do what other browsers already do, I guess it is no less safe. But that's a big "if".