IsURIPotentiallyTrustworthy should check nesting and wss

NEW
Unassigned

Status

()

Product:
Core
Component:
Security
Reported:
3 years ago
Modified:
3 years ago

People

(Reporter: tanvi, Unassigned)

Tracking

Version:
44 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details
(Reporter)

Description

3 years ago 
IsURIPotentiallyTrustworthy should check nested protocols.  We probably should just check the innermost scheme here against https, file, etc:
http://mxr.mozilla.org/mozilla-central/source/dom/security/nsContentSecurityManager.cpp#410

We should also add wss per spec.  I'm not sure why Service Workers need an API that doesn't accept wss (https://bugzilla.mozilla.org/show_bug.cgi?id=1221365#c12)

Comment 1

3 years ago 
Service workers explicitly wants only http/https.  I just landed checks in SWM to do this after the trustworthy check is made.

I raised a spec issue about this:

https://github.com/slightlyoff/ServiceWorker/issues/780#issuecomment-155624630

Updated

3 years ago
No longer blocks: 1162772
See Also: → bug 1162772
You need to log in before you can comment on or make changes to this bug.