How is CSPEE recursive?

[annevk]

I tried to figure out how recursion worked in https://w3c.github.io/webappsec-csp/embedded/ and didn't see it. Doesn't this mean that an embedded could subvert any policy applied to it, as long as it can load itself somehow?

[mikewest]

I think step 1.2 of https://w3c.github.io/webappsec-csp/embedded/#abstract-opdef-set-the-required-csp is doing the work. If no csp attribute is present on a context's container, it grabs the parent's required CSP. If there is a csp attribute, it has to be subsumed by the parent's require CSP.

[annevk]

Yeah, it does seem a bit concerning it's walking up the browsing context chain. I'm pretty sure bz has pointed out issues with that pattern in the past, but perhaps only in combination with active documents.

[mikewest]

I haven't touched it in ~two years (and it may have been wrong to begin with). If there are better ways of doing it, I am happy to hop over to them. What would you like to see?

[mikewest]

(Note though, that in this case it's not walking the whole ancestor chain. We're only ever looking at the parent browsing context, and relying on it to be correct via the magic of recursion. Not sure if that improves the state of affairs, but it does reduce the number of moving parts.)

[annevk]

I suspect there might be a problem here when we start allowing for browsing context replacement, but not sure. The infrastructure here is so brittle that it makes it very hard to judge changes to it.

And when traversing it's usually better to go via documents (we should offer some kind of "parent document" to make this easier), but perhaps in this specific case that doesn't matter, it's hard to tell.

[mikewest]

Step 5.2 of https://html.spec.whatwg.org/#encoding-sniffing-algorithm defines a "parent document" variable as:

the Document through which new document is nested (the active document of the parent browsing context of new document)

Is there a way to frame that that doesn't rely on browsing contexts? If so, I'm happy to move the flag to the document and rework the pieces accordingly. It seems like we have to assume access to a "browsing context container", through, right? (Maybe "parent document" could be something like "browsing context container's root"?)

[mikewest]

This issue was moved to w3c/webappsec-cspee#1