Skip to content

[Feature]: Ability to handle ContentSecurityPolicy failure #4691

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[Feature]: Ability to handle ContentSecurityPolicy failure#4691
Labels
feature requestfeature request
@Manish3177

Description

@Manish3177
Manish3177
opened on Jul 18, 2024

Describe the feature/enhancement you need

When a content security policy failure occurs, specifically for an iframe navigation, we would like to make that behavior more graceful and user friendly by:

  1. Making the iframe continue to display what it was displaying.
  2. Displaying a customizable (and localizable) user-friendly message about why their navigation attempt didn't work.
  3. Potentially offering the user the option to launch the website in a new window where the CSP restrictions won't apply.
  4. Making the error in the console not appear. (This is lower priority.)

I realize that a CSP failure could also occur because of the website being navigated-to specifying CSP: frame-ancestors that don't include the parent frame's host. However, we are not too worried about that. That is also something one can't know until after the navigation has finished so we are not even expecting to solve that problem.

The scenario/use case where you would use this feature

We have an app which displays user customizable content in iframes. The content can have links (anchor tags) in them. Additionally, the parent frame specifies "Content-Security-Policy: frame-src self admin-defined-hosts". When a link is for a host that's not part of admin-defined-hosts is clicked, the iframe is blanked out and an error about CSP violation appears in the console as is the standard browser behavior but this is not very user friendly.

How important is this request to you?

This isn't a make or break feature for us but it would improve the user experience in a noticeable way for us. As far as I can tell, there is no other way to accomplish the desired behavior. Also having official API support would be beneficial.

Suggested implementation

Raise an event when content security policy failure occurs, ideally indicating what type (frame vs images for example), allowing the host app to customize behavior. The event must support a Handled property that can be set to true to indicate that the application has handled the failure on its own and the embedded browser shouldn't do anything more.

What does your app do? Is there a pending deadline for this request?

This isn't particularly time-sensitive for us.

Metadata

Assignees

No one assigned

    Labels

    feature requestfeature request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions