The document open steps should set document's CSP to entryDocument's CSP

[andypaicu]

In CSP whenever a document (A) has full control over another document's (B) contents it also causes B to inherit A's CSP.
e.g. every local-scheme document inherits it's CSP from the request’s client’s global object (https://w3c.github.io/webappsec-csp/#initialize-document-csp)

I believe the document open steps is similar enough that it should be treated in the same way.

Otherwise CSP can be evaded by abusing a child frame with less restrictive CSP and using document.open/document.write.

[annevk]

cc @ckerschb

[TimothyGu]

@andypaicu Not being extremely familiar with CSP, how do expect the spec text to play out? As far as I can tell, https://w3c.github.io/webappsec-csp/#initialize-document-csp requires a request/response, which document.open doesn't have. We could certainly do something like this directly in document open steps:

1. Set document's CSP list to an empty CSP list.
2. For each policy in entryDocument's CSP list, insert a copy of policy into document’s CSP list.

But it seems wrong, as it doesn't run the initialization steps for CSP directives, which initialize a Document's CSP list does. But that's a bit troublesome, as initialization steps also take a response.

Please advise.

[TimothyGu]

For what it's worth, Firefox also seems to have a step like this in their implementation (albeit in a slightly different place).

[andypaicu]

IMO we should probably do something like this:

1. Add another initialize-type hook (initialize-document-csp-from-document, name WIP) that takes a target (document) and a source (document)
2. Do something like steps 2 and 3 of initialize-document-csp to copy the policies and initialize directives
3. Remove the response paramater from the initialize directive algorithm, or make it optional. I am unaware of any directive that actually uses this.

[TimothyGu]

@andypaicu Okay, seems like we can't do anything in HTML until those primitives get implemented in CSP then. Filed w3c/webappsec-csp#402.