Chromium incorrectly includes Sec-Fetch-Site: cross-site in stylesheet request

Question

Problem: When a web server responds with the header

Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

this appears to cause Chromium to add the header

Sec-Fetch-Site: cross-site

when requesting the stylesheet from the same origin (and directory) as the containing html page. Instead, it is expected that the above CSP cause the browser to submit Sec-Fetch-Site: same-origin.

To reproduce using nginx+Chromium:

Add the following 4 lines to a location directive in an nginx config file:

add_header Content-Security-Policy "sandbox; default-src 'none'; img-src 'self'; style-src 'self';";
if ($http_sec_fetch_site = 'cross-site') {
  return 403;
}

Serve the following 2 static files report.html and report.css from that location.

report.html:

<!DOCTYPE html>
<html>
<head>
  <title>Report</title>
  <link rel="stylesheet" href="report.css">
</head>

<body>
  <h1>Report</h1>
</body>
</html>

and

report.css:

body { font-family: sans-serif }

Here are screenshots of both the report.html and subsequent report.css requests with the Developer tools Network window:

Note that the request for report.css is 403 Forbidden due to the incorrect Sec-Fetch-Site: cross-site header in the request.

Question: Why is Chromium submitting Sec-Fetch-Site: cross-site for a file that should be same-origin based on the given CSP which allows same-origin stylesheets?

Note: If it seems the issue is not being reproduced, verify that the following header is seen in the server response when report.html is requested:

Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

in order to set the CSP for the subsequent request for report.css.

Chromium Version 113.0.5672.126 (Official Build) Arch Linux (64-bit)

Answer 1

This appears to be a misconfiguration on the server side. The header:

Content-Security-Policy: sandbox; default-src 'none'; img-src 'self'; style-src 'self';

is actually self-contradictory. The directives default-src 'none'; img-src 'self'; style-src 'self'; attempt to allow same-origin images and stylesheets. However, sandbox without allow-same-origin causes resources to fail the same-origin policy:

allow-same-origin

If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

Thus the most secure adjustment to be made in order to keep sandbox and only allow images and stylesheets to be served from the same origin is to add allow-same-origin to the sandbox directive:

Content-Security-Policy: sandbox allow-same-origin; default-src 'none'; img-src 'self'; style-src 'self';

For anyone encountering this problem in Jenkins, a fix is expected to be released in Jenkins 2.417.

Other workarounds have recently been updated with this information on https://www.jenkins.io/doc/book/security/configuring-content-security-policy/