Closed
Bug 1322111
Opened 8 years ago
Closed 7 years ago
importScripts should be governed by script-src in Web Workers
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla54
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | fixed |
People
(Reporter: gandhi.rahul93, Assigned: bkelly)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(4 files)
|
7.21 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
|
2.18 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
|
1.20 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
|
3.77 KB,
patch
|
asuth
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 Steps to reproduce: 1) Create a worker with a file which has CSP set to script-src 'self' 2) Inside the Web Worker Script, we use importScripts to import file from other origin. Actual results: It works. Expected results: According to the spec, importScripts should be governed by script-src in Web Workers. However, importScripts seems to be honoring child-src on Firefox (tested on 50.0.2). Chrome and Edge are honoring script-src. https://www.w3.org/TR/CSP2/#directive-script-src
|
Reporter | |
Updated•8 years ago
|
Component: Untriaged → Security
|
|
Reporter | |
Comment 1•8 years ago
|
||
importScripts seems to be honoring child-src. This exposes some vulnerabilities; to block the use of different origin in importScripts, we would have to set child-src to 'self' This would allow the creation of workers in that domain which could otherwise have been blocked if script-src was honored to block importScripts and child-src to null.
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
|
Assignee | |
Comment 2•7 years ago
|
||
There is probably more to it, but switching this to SCRIPT_SRC_DIRECTIVE lets me pass my WPT test: https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPUtils.cpp#233
|
|
Assignee | |
Updated•7 years ago
|
Blocks: ServiceWorkers-compat
|
|
Assignee | |
Comment 3•7 years ago
|
||
It seems that perhaps we should implement worker-src instead of script-src for workers. That is what the latest specs mention: https://w3c.github.io/webappsec-csp/#worker-src
|
|
Assignee | |
Comment 4•7 years ago
|
||
Oh, that document also says: "A worker-src directive has been added, deferring to script-src if not present (which likewise defers to default-src in turn)." So script-src should still be honored it looks like.
|
|
Assignee | |
Comment 5•7 years ago
|
||
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•7 years ago
|
||
|
|
Assignee | |
Comment 7•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b1ba0dde7a3eec1d9e43afa9802abfb66ac967d2
|
|
Assignee | |
Comment 8•7 years ago
|
||
Comment on attachment 8837217 [details] [diff] [review] P1 Add TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS content policy type. r=ckerschb Add an nsIContentPolicy type to distinguish importScripts().
Attachment #8837217 -
Flags: review?(ckerschb)
|
|
Assignee | |
Comment 9•7 years ago
|
||
Comment on attachment 8837218 [details] [diff] [review] P2 Make importScripts() use TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS. r=ckerschb Make worker ScriptLoader use the new nsIContentPolicy type for importScripts() channels.
Attachment #8837218 -
Flags: review?(ckerschb)
|
|
Assignee | |
Comment 10•7 years ago
|
||
Comment on attachment 8837219 [details] [diff] [review] P3 Update WPT test expectations. r=ckerschb Update WPT tests to expect new cases to pass.
Attachment #8837219 -
Flags: review?(ckerschb)
|
|
Assignee | |
Comment 11•7 years ago
|
||
Since we're adding a new nsIContentPolicy type that can be stored in the Cache db we need to update the schema version to avoid older builds trying to interpret this value.
Attachment #8837298 -
Flags: review?(bugmail)
|
||
Comment 12•7 years ago
|
||
Comment on attachment 8837298 [details] [diff] [review] P4 Update the Cache API schema to account for new nsIContentPolicy type. r=asuth Review of attachment 8837298 [details] [diff] [review]: ----------------------------------------------------------------- Affirming the downgrade-precluding schema bump is appropriate because the past can't handle enumeration-styled values from the future.
Attachment #8837298 -
Flags: review?(bugmail) → review+
|
||
Comment 13•7 years ago
|
||
Comment on attachment 8837217 [details] [diff] [review] P1 Add TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS content policy type. r=ckerschb Review of attachment 8837217 [details] [diff] [review]: ----------------------------------------------------------------- looks good, r=me ::: extensions/permissions/nsContentBlocker.cpp @@ +64,5 @@ > + "", // TYPE_INTERNAL_IMAGE_PRELOAD > + "", // TYPE_INTERNAL_STYLESHEET > + "", // TYPE_INTERNAL_STYLESHEET_PRELOAD > + "", // TYPE_INTERNAL_IMAGE_FAVICON > + "", // TYPE_INTERNAL_WORKERS_IMPORT_SCRIPTS thanks for updating.
Attachment #8837217 -
Flags: review?(ckerschb) → review+
|
|
||
Comment 14•7 years ago
|
||
Comment on attachment 8837218 [details] [diff] [review] P2 Make importScripts() use TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS. r=ckerschb Review of attachment 8837218 [details] [diff] [review]: ----------------------------------------------------------------- thanks, r=me ::: dom/workers/ScriptLoader.cpp @@ +171,5 @@ > } > > + nsContentPolicyType contentPolicyType = > + aIsMainScript ? aContentPolicyType > + : nsIContentPolicy::TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS; I suppose that is a valid distinguisher between regular script and script that is imported using importScripts, but looks reasonable to me.
Attachment #8837218 -
Flags: review?(ckerschb) → review+
|
|
||
Comment 15•7 years ago
|
||
Comment on attachment 8837219 [details] [diff] [review] P3 Update WPT test expectations. r=ckerschb Review of attachment 8837219 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #8837219 -
Flags: review?(ckerschb) → review+
|
||
Comment 16•7 years ago
|
||
Pushed by bkelly@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/30f248917596 P1 Add TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS content policy type. r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/1af6b50e212f P2 Make importScripts() use TYPE_INTERNAL_WORKER_IMPORT_SCRIPTS. r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/fca96fba3e51 P3 Update WPT test expectations. r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/8f45618754fe P4 Update the Cache API schema to account for new nsIContentPolicy type. r=asuth
|
||
Comment 17•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/30f248917596 https://hg.mozilla.org/mozilla-central/rev/1af6b50e212f https://hg.mozilla.org/mozilla-central/rev/fca96fba3e51 https://hg.mozilla.org/mozilla-central/rev/8f45618754fe
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox54:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in
before you can comment on or make changes to this bug.
Description
•