1007634 - CSP allows local Worker construction with only 'unsafe-inline' set

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P2)

Description

[Charlie Hothersall-Thomas]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140428193838

Steps to reproduce:

Serve an HTML file with the header Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'.

Inside that file, use an inline script block to attempt to construct a Worker from a file:

<script>
  var worker = new Worker("/worker.js");

  worker.onmessage = function(event) {
    alert("Received " + event.data);
  }

  worker.postMessage("ping");
</script>

Where worker.js simply contains the following:

this.onmessage = function(event) {
  postMessage("pong");
}


Actual results:

"pong" alert is shown. This means the Worker construction has been allowed from /worker.js, as the worker has replied to the message sent to it.


Expected results:

Construction of worker from /worker.js should be blocked by CSP.

See test pages at:

http://csp.charlie.ht/worker-incorrectly-allowed.html
http://csp.charlie.ht/worker-correctly-allowed.html

worker-incorrectly-allowed.html is served with the same HTML/header combination described in "steps to reproduce". The "pong" alert is shown, when I believe it shouldn't be. There is no directive stating that /worker.js is an allowed script source.

worker-correctly-allowed.html has the same HTML, yet is served with script-src 'self' 'unsafe-inline'. In this case, I expect the Worker construction to be allowed, which is what happens.

Note that this is similar to bug 929292 that I reported yesterday.

Comment 1

[Paul Silaghi, QA [:pauly]]

(In reply to Charlie Hothersall-Thomas from comment #0)
> Note that this is similar to bug 929292 that I reported yesterday.
Didn't you mean bug 1007205 ?

Comment 2

[Charlie Hothersall-Thomas]

(In reply to Paul Silaghi, QA [:pauly] from comment #1)
> (In reply to Charlie Hothersall-Thomas from comment #0)
> > Note that this is similar to bug 929292 that I reported yesterday.
> Didn't you mean bug 1007205 ?

Yes, sorry, must have pasted the wrong one!

Comment 3

[Garrett Robinson [:grobinson]]

Thanks for reporting this! It is definitely a bug. CSP should be enforced on loading worker scripts by the Content Policy check in dom/workers/ScriptLoader.cpp::ChannelFromScriptURL, but it looks like there's a bug in there.

For future reference, note that CSP 1.0 uses script-src to control the loading of worker script (which this bug illustrates), while CSP 1.1 introduces a new directive, child-src, that controls the loading of Workers separately from script-src.

Comment 4

[Sid Stamm [:geekboy or :sstamm]]

Garrett: I'm going to unassign this (please take it back if you plan to continue working on it).

Comment 5

[Eric Shepherd [:sheppy]]

Likely needs some form of docs coverage once this is fixed, since it may change behavior.

Comment 6

[Kate McKinley [:kmckinley, :Kate]]

Attachment: Add a test to show that Worker construction is no longer dependent on CSP script-src

Worker construction is now handled by the child-src CSP directive, as implemented in 1045891 and currently on Firefox 45.

Added test to verify that script-src no longer governs Worker construction.

Comment 7

[Christoph Kerschbaumer [:ckerschb}]

Comment on attachment 8710274 [details] [diff] [review]
Add a test to show that Worker construction is no longer dependent on CSP script-src

Review of attachment 8710274 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks Kate, r=me

Comment 8

[Kate McKinley [:kmckinley, :Kate]]

Attachment: Add a test to show that Worker construction is no longer dependent on CSP script-src

Comment 9

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/ab04f30a8732

Comment 10

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/ab04f30a8732