Closed
Bug 1179064
Opened 9 years ago
Closed 9 years ago
Ensure that service worker code for signed packages is contained within the package
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
WONTFIX
tracking-b2g | backlog |
People
(Reporter: pauljt, Assigned: dimi)
References
Details
BUG 1178556 ensures that all script that is loaded into a signed package's origin is inside the package itself (i.e. using script-src self). We need to ensure that the same is true for service workers that are loaded for signed packages (we wouldnt want the service worker code coming from ourside the package). The CSP directive child-src was discussed but this is likely too coarse, since signed packages should be allowed to frame any site they want - its just the workers that we need to restrict here.
Updated•9 years ago
|
Blocks: ServiceWorkers-B2G
Reporter | ||
Updated•9 years ago
|
Priority: -- → P2
Reporter | ||
Updated•9 years ago
|
blocking-b2g: --- → 2.5+
Comment 1•9 years ago
|
||
Hi Dimi,
I suppose this bug should be assigned to you.
If it's not appropriate, please let me know. :)
Assignee: nobody → dlee
Status: NEW → ASSIGNED
Assignee | ||
Updated•9 years ago
|
Target Milestone: --- → FxOS-S6 (04Sep)
Assignee | ||
Comment 2•9 years ago
|
||
this bug will not affect NSec first milestone
Target Milestone: FxOS-S6 (04Sep) → FxOS-S9 (16Oct)
Assignee | ||
Updated•9 years ago
|
Target Milestone: FxOS-S9 (16Oct) → ---
Assignee | ||
Comment 3•9 years ago
|
||
Just check the code and if I understand correctly, ServiceWorkerManager will check SOP for registered worker script[1]. So for SW loaded in signed package, it should not be able to load service worker code comes from different origin. Also, scope is check in[2].
And what we do not handle right now is for two signed packages with same host, it will be treated as same origin[3]. So maybe this bug is not really related to SW but related to we should handle |checkMayLoad| properly based on bug 1178526 ?
Hi Jonas, does this make sense to you?
[1]https://dxr.mozilla.org/mozilla-central/source/dom/workers/ServiceWorkerManager.cpp#1531
[2]https://dxr.mozilla.org/mozilla-central/source/dom/workers/ServiceWorkerManager.cpp#1537
[3]https://dxr.mozilla.org/mozilla-central/source/netwerk/base/nsNetUtil.cpp#1694
Flags: needinfo?(jonas)
I suspect that the same-origin checks won't automatically detect that a URL which is outside of the package, but still pointing to the same server, will be considered different-origin. This is because they will only differ in the OriginAttributes, and URLs don't have OriginAttributes, only principals do.
Flags: needinfo?(jonas)
In other words, I don't think the code as written right now will work.
documentPrincipal->CheckMayLoad(aScopeURI, true, false);
will return success even if documentPrincipal has the signedPkg set as long as aScopeURI is in the same server.
Assignee | ||
Comment 6•9 years ago
|
||
As discussed with jonas in todays NSec meeting, i will implement this inside ServiceWorker's code by checking signedPkg in documentPrincipak and compare it with the scriptURI & scopeURI arguments
Assignee | ||
Comment 7•9 years ago
|
||
In today's Nsec meeting, we would like to try not modifying service worker's code.
And after checking with Christoph, to CSP to restrict service worker could only be loaded inside the signed package and still allow load frame, we could use:
child-src 'self'; frame-src *
Assignee | ||
Comment 8•9 years ago
|
||
We should add this to default CSP of signed package
Depends on: 1179060
Comment 9•9 years ago
|
||
[Tracking Requested - why for this release]:
This bug being part of New Security Model shouldn’t be a 2.5 blocker as New Sec is not part of 2.5 now.
Removing 2.5 blocker flag.
blocking-b2g: 2.5+ → ---
tracking-b2g:
--- → backlog
Comment 10•9 years ago
|
||
The new security model project was suspended.
We had discussed the idea of NSEC v2, which seems we are unlikely to use signed package format.
So there is no reason to keep working on this bug.
p.s. We don't have plan on NSEC v2 either.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•