Chromium and Firefox/WebKit currently appear to differ in how frame-src is enforced for object and embed elements that create child navigables.
All engines appear to enforce object-src for these elements, but Chromium additionally appears to enforce frame-src.
The CSP3 "effective directive for a request" algorithm defines:
frame-src for frame and iframeobject-src for object and embed
Based on this section alone, Firefox/WebKit’s behavior appears consistent with the specification, since frame-src is not listed for object or embed.
However, other specification text appears to imply that frame-src may also be relevant because these elements can create child navigables.
The CSP definition of frame-src states:
"The frame-src directive restricts the URLs which may be loaded into child navigables."
At the same time, HTML specifies that object can create a child navigable:
"The object element can represent an external resource, which, depending on the type of the resource, will either be treated as an image or as a child navigable."
and per https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element embed may also create one:
"If element’s content navigable is null, then create a new child navigable for element."
This appears to create ambiguity regarding whether frame-src is intended to apply to object and embed loads that result in child navigables.
Chromium and Firefox/WebKit currently appear to differ in how
frame-srcis enforced forobjectandembedelements that createchild navigables.All engines appear to enforce
object-srcfor these elements, but Chromium additionally appears to enforceframe-src.The CSP3 "effective directive for a request" algorithm defines:
frame-srcforframeandiframeobject-srcforobjectandembedBased on this section alone, Firefox/WebKit’s behavior appears consistent with the specification, since
frame-srcis not listed forobjectorembed.However, other specification text appears to imply that
frame-srcmay also be relevant because these elements can createchild navigables.The CSP definition of
frame-srcstates:"The frame-src directive restricts the URLs which may be loaded into child navigables."
At the same time, HTML specifies that
objectcan create achild navigable:"The object element can represent an external resource, which, depending on the type of the resource, will either be treated as an image or as a child navigable."
and per https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element
embedmay also create one:"If element’s content navigable is null, then create a new child navigable for element."
This appears to create ambiguity regarding whether
frame-srcis intended to apply toobjectandembedloads that result inchild navigables.