Content-Security-Policy blocks Web Workers with Blobs

RESOLVED INVALID

Status

()

defect
P2
normal
RESOLVED INVALID
5 years ago
4 years ago

People

(Reporter: nadav, Unassigned)

Tracking

(Blocks 1 bug)

30 Branch
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36

Steps to reproduce:

When using Content-Security-Policy, even when 'self', 'unsafe-eval' and 'unsafe-inline' are specified, it is not possible to use Web Workers with Blob scripts.

Can be reproduced with the following nodejs script:

require('http').createServer(function(req, res) {
  res.writeHead(200, { 'Content-Security-Policy': "script-src 'self' 'unsafe-inline' 'unsafe-eval';" })
  res.end(
    '<html><body><script>'
    +'new Worker(window.URL.createObjectURL(new Blob(["postMessage(123)"], { type: "text/javascript" })))'
    +'</script></body></html>'
  )
}).listen(9090)

(Note that, to the best of my knowledge, 'unsafe-inline' should not be required when Blob scripts are used from non-inline scripts. I only added it because the test here uses inline scripts.)


Actual results:

Error: Failed to load script (nsresult = 0x805e0006)
	
...window.URL.createObjectURL(new Blob(["postMessage(123)"], { type: "text/javascri...

localhost:9090 (line 1)


Expected results:

The Web Worker should work. The same script works on Chrome.
Blocks: CSP
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P2
The spec says you need to explicitly add blob: to your whitelist. In our opinion Chrome has a bug, but even so it doesn't hurt to add blob: to the string for them too.

See https://w3c.github.io/webappsec/specs/content-security-policy/#match-source-expression section 4.2.2 step 2
(In reply to Daniel Veditz [:dveditz] from comment #1)
> The spec says you need to explicitly add blob: to your whitelist. In our
> opinion Chrome has a bug, but even so it doesn't hurt to add blob: to the
> string for them too.
> 
> See
> https://w3c.github.io/webappsec/specs/content-security-policy/#match-source-
> expression section 4.2.2 step 2

Thanks Dan; that is absolutely right, blob: has to be explicitly whitelisted in the CSP. Marking this bug as invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.