Edge is enforcing the sandbox directive from a report only policy. - by ScottHelme

Status : 

  Won't Fix<br /><br />
		Due to several factors the product team decided to focus its efforts on other items.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.

ID 1777832 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 9/11/2015 5:20:43 AM
Access Restriction Public


The page https://report-uri.io/home/pkp_analyse issues a same origin XHR to https://report-uri.io/home/analyse_pkp/ that is blocked in Edge. It is not blocked by any other browser.

The error:

SEC7120: Origin https://report-uri.io not found in Access-Control-Allow-Origin header. pkp_analyse
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied. pkp_analyse

If I add the ACAO header then the request still does not work. 

The error:

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied. pkp_analyse

To test the effect with the ACAO header, you can visit the page https://test.report-uri.io/home/pkp_analyse which is exactly the same but served on the test subdomain of the site.


After further investigation this was due to Edge enforcing the sandbox directive of a content-security-policy-report-only header that it should not have been enforcing. The sandbox directive lacked the allow-same-origin flag which was causing the issue. 
Sign in to post a comment.
Posted by Microsoft on 4/4/2016 at 7:05 PM
We've moved! Search for this issue at http://issues.microsoftedge.com. If you don't find it and still believe this is an issue, please file a new issue on our new platform issues tracker.
Posted by ScottHelme on 9/15/2015 at 4:06 PM
Apologies, I have now fixed the issue on the site as it was hindering functionality. You can replicate the problem by issuing the following header on your own site.

Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'; sandbox allow-forms allow-popups; report-uri https://test.report-uri.io/report/ScottHelme"

Then try to perform an XHR to the same origin and it will fail.
Posted by Microsoft on 9/15/2015 at 3:37 PM
Hello ScottHelme,

I am sorry to hear about the experience you had with MS Edge. We have been unsuccessful in our attempts to reproduce the issue that you had with MS Edge.
Please review the following link for the demonstration of the scenario that you have been posted.


It is always possible we are missing a step in the repro.Do keep us updated about the status of your issue and we will be happy to assist you.

Best regards,
The Microsoft Edge Team