If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

WebSocket on WebWorker bypasses CSP

RESOLVED DUPLICATE of bug 959388

Status

()

Core
DOM: Workers
RESOLVED DUPLICATE of bug 959388
2 years ago
2 years ago

People

(Reporter: Muneaki Nishimura, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
CSP is not applied to WebSocket requests invoked from worker script.

Here is the PoC.
http://csp.csrf.jp/worker/websocket.html

The WebSocket request from main thread (websocket.js:L3) is prohibited correctly but the WebSocket request from worker thread (websocket_worker.js:L2) is not prohibited and onmessage handler (websocket_worker.js:L8) is called.
Flags: needinfo?(mozilla)
Muneaki, thanks for reporting the problem. Workers do not inherit the CSP from their parent [1] and we haven't implemented CSP for workers yet [2]. It's currently a P3, but if people think we should implement this rather sooner than later than I am happy to reevaluate and potentially make it a P1.

[1] http://www.w3.org/TR/CSP11/#processing-model-workers
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=959388
Flags: needinfo?(mozilla)
(Reporter)

Comment 2

2 years ago
Oh... I will evaluate it again after you implement it, thanks!
(In reply to Muneaki Nishimura from comment #2)
> Oh... I will evaluate it again after you implement it, thanks!

Sounds like a good plan to me :-)
Duping the bug for now, but we can reopen it (or file a new one) if you find it after we've implemented that part of the spec.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 959388
You need to log in before you can comment on or make changes to this bug.