after a pentest they discover that i need to add the sandbox directive to content security policy.I have a page with 4 frame
<frameset rows="35,*,20" framespacing="0" border="0" frameborder="no"><frame name="testata" scrolling="no" noresize src="top.asp" id="testata"><frameset cols="260,*" id="framesetCentrale"><frame name="funzioni" src="menu.asp" scrolling="auto" class="bordofrmdestra" id="funzioni"><frame name="visualizza" src="visualizza.asp" scrolling="auto" id="visualizza"></frameset><frame name="fondo" scrolling="no" noresize src="fondo.asp" id="fondo"><noframes><body><p>La pagina corrente utilizza i frame. Questa caratteristica non è supportata dal browser in uso. Aggiornate il vostro browser.</p></body></noframes></frameset>
If i add this directive i cannot click on a td on frame visualizza to refresh the frame funzioni, visualizza (itself) and fondo.
The script to do that is on page in frame visualizza:
$(document).on('click','#tabellaArchivi td', function() { archivio = $(this).attr("id"); //parent.funzioni.location='menu.asp?sceltaarch=1&arc='+ archivio; window.top.funzioni.location='menu.asp?sceltaarch=1&arc='+ archivio; window.top.visualizza.location='visualizza.asp?arc='+ archivio; window.top.fondo.location='fondo.asp?paginafunzioni=menu.asp?sceltaarch=1$arc='+ archivio +'&paginavisualizza=visualizza.asp?arc='+ archivio; });tried both method (parent.funzioni or window.top.funzioni) to refresh frame and not work.When i click on the td i receive
visualizza.asp:26 Unsafe attempt to initiate navigation for frame with URL 'http://localhost/login/menu.asp' from frame with URL 'http://localhost/login/visualizza.asp'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.(anonimo) @ visualizza.asp:26dispatch @ jquery.js:2v.handle @ jquery.js:2visualizza.asp:26 Uncaught SecurityError: Failed to set the 'href' property on 'Location': The current window does not have permission to navigate the target frame to 'menu.asp?sceltaarch=1&arc=2-SILF Finanziamenti'. at HTMLTableCellElement.<anonymous> (visualizza.asp:26:31) at HTMLDocument.dispatch (jquery.js:2:40035) at v.handle (jquery.js:2:38006)My actual CSP, for all the frame is:
frame-ancestors 'self'; default-src 'self'; script-src 'self''report-sample''nonce-****'; style-src 'self''report-sample''nonce-****'; object-src 'none'; frame-src 'self'; child-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; manifest-src 'none'; base-uri 'self'; form-action 'self'; media-src 'self'; worker-src 'none'; upgrade-insecure-requests; report-uri https://xxx.report-uri.com/r/d/csp/reportOnly; report-to https://xxx.report-uri.com/r/d/csp/reportOnly; sandbox allow-scripts allow-popups allow-forms allow-modals allow-same-origin allow-top-navigation allow-top-navigation-by-user-activation allow-popups-to-escape-sandbox;i tried to add all the value for sandbox whitout success, tried to use window.top.framename instead of parent.framename in the javascript code
I expect that i can refresh a frame from another. There is a solution to my problem? thanks in advance