Closed
Bug 1223378
Opened 9 years ago
Closed 9 years ago
Improve service worker register() origin checks
Categories
(Core :: DOM: Service Workers, defect)
Core
DOM: Service Workers
Tracking
()
RESOLVED
FIXED
mozilla45
People
(Reporter: bkelly, Assigned: bkelly)
References
Details
Attachments
(2 files)
|
3.59 KB,
patch
|
baku
:
review+
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
1.13 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
In bug 1221365 it was pointed out we should be checking the document's principal for trustworthiness, not the document URI. This matches the spec which talks about verifying the origin, not the URI itself. In addition, now that the potential trustworthy origin check permits things like file:// and wss:// URIs, we should explicitly check for http:// and https://.
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
|
||
Comment 1•9 years ago
|
||
Doesn't bug 1162772 and bug 1220687 cover this?
|
|
Assignee | |
Comment 2•9 years ago
|
||
(In reply to Jonathan Watt [:jwatt] from comment #1) > Doesn't bug 1162772 and bug 1220687 cover this? Fixing those bugs will probably do more than I am planning to do here. Its not clear to me what the final outcome of those bugs will be, though.
|
|
Assignee | |
Comment 3•9 years ago
|
||
This tightens some of the checks in service worker register() to use principals instead of the document URI. Also, it checks the scheme explicitly as described in this spec issue: https://github.com/slightlyoff/ServiceWorker/issues/780 Try build: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6afcdf62bf97
Attachment #8685462 -
Flags: review?(amarchesini)
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8685462 [details] [diff] [review] Tighten service worker register() principal checks. r=baku Review of attachment 8685462 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/workers/ServiceWorkerManager.cpp @@ +1503,5 @@ > + // is a good block against accidentally allowing blob: script URIs which > + // might inherit the origin. > + bool isHttp = false; > + bool isHttps = false; > + aScriptURI->SchemeIs("http", &isHttp); should you check the return value?
Attachment #8685462 -
Flags: review?(amarchesini) → review+
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Andrea Marchesini (:baku) from comment #4) > ::: dom/workers/ServiceWorkerManager.cpp > > + bool isHttp = false; > > + bool isHttps = false; > > + aScriptURI->SchemeIs("http", &isHttp); > > should you check the return value? If SchemeIs() returns failure, then isHttp will still be false. So I just check the boolean value as the end result is the same.
|
|
Assignee | |
Comment 6•9 years ago
|
||
Oh, I don't need the nsContentUtils::IsSystemPrincipal() conditional since the previous code already checks IsChromeDoc(). I'll turn that into an assert.
|
|
Assignee | |
Comment 7•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=324502e6833d
|
|
Assignee | |
Updated•9 years ago
|
|
|
Assignee | |
Comment 8•9 years ago
|
||
The app: protocol rains on my parade again. We need to allow it on non-release builds. https://treeherder.mozilla.org/#/jobs?repo=try&revision=d9c5d7a5a7ce
Attachment #8685494 -
Flags: review?(amarchesini)
|
|
||
Updated•9 years ago
|
Attachment #8685494 -
Flags: review?(amarchesini) → review+
|
||
Comment 10•9 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/89c1060df73f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
|
Assignee | |
Comment 11•9 years ago
|
||
Comment on attachment 8685462 [details] [diff] [review] Tighten service worker register() principal checks. r=baku Approval Request Comment [Feature/regressing bug #]: service workers [User impact if declined]: We are trying to ship service workers in 44 if possible. Making sure register() has the right restrictions is important to that release. [Describe test coverage new/current, TreeHerder]: Existing mochitests/wpt tests. [Risks and why]: Minimal. Only affects service workers. [String/UUID change made/needed]: None.
Attachment #8685462 -
Flags: approval-mozilla-aurora?
Comment on attachment 8685462 [details] [diff] [review] Tighten service worker register() principal checks. r=baku Service Workers is planned for FF44, the sooner these changes make it to Aurora44, the sooner we can get end-user feedback and potential issues.
Attachment #8685462 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 13•9 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/46d8b9f21820
|
|
||
Comment 14•9 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/46d8b9f21820
status-b2g-v2.5:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•