Closed Bug 1241888 Opened 9 years ago Closed 9 years ago

Loading cross-origin worker scripts does not throw a SecurityError

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Version:
45 Branch
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mattias, Unassigned)

References

Details

(5 keywords)

Attachments

(1 file)

worker-test.html
382 bytes, text/html
Details
Attached file worker-test.html
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 Steps to reproduce: Starting from Firefox 45, attempting to load a worker script from a different domain no longer throws a SecurityError on the Worker constructor. Instead, the worker is created and dispatches an (asynchronous) error event. 1. Launch a local web server hosting the attached webpage. 2. Navigate to the web page on the local server in Firefox 45. 3. Check the message in the developer console. Actual results: The developer console shows 2 messages: * async error * Error: Failed to load script (nsresult = 0x805303f4) When constructing a Worker with a cross-origin script URL, a Worker instance is successfully created and dispatches an (asynchronous) error event. Expected results: The developer console shows 1 message: * sync error When constructing a Worker with a cross-origin script URL, the browser should immediately throw a SecurityError. This is the behavior in Firefox 44 or lower, as well in many other major browsers (Chrome, IE, Edge,...).
In an ideal world, Firefox would properly implement cross-origin worker script loading and this would be a non-issue, but until then authors need to implement a fall back themselves. For no apparent reason, Firefox 45 seems to deviate from other browsers and previous Firefox versions by dispatching an asynchronous error event rather than synchronously throwing a error. In other browsers, authors could catch the SecurityError and then fall back to loading the worker script file with cross-origin XHR and constructing the worker with a blob URL. However in Firefox 45, the worker constructor does not throw and instead authors must asynchronously handle the error event. The dispatched error event is also not readily distinguishable from an 'actual' worker error. This makes it much more difficult for authors to detect if and when the fall back should be triggered.
Keywords: wsec-crossdomain
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
I seems to have forgot to mention that this was tested on Firefox 45.0a2 (2016-01-21). My apologies.
Component: Untriaged → Security
Keywords: testcase
Product: Firefox → Core
Component: Security → DOM: Workers
Did ScriptLoader.cpp get converted to AsyncOpen2?
(In reply to Ben Kelly [:bkelly] from comment #3) > Did ScriptLoader.cpp get converted to AsyncOpen2? Yes. And this is the reason why we have this issue. It's a known thing. NI Jonas to have a feedback.
Flags: needinfo?(amarchesini) → needinfo?(jonas)
This was an intentional change. We checked with google and they also preferred to do security checks asynchronously. Generally speaking it's a bad idea to have APIs which can fail both synchronously and asynchronously. This way you only have to watch for error events rather than for both error events and exceptions. The spec has been updated to match this new behavior: https://github.com/whatwg/html/issues/337
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Thank you for the quick response. After reading up on the referenced spec changes, it does indeed make sense to handle all security policy violations asynchronously. Since this is now in the spec, I will have to implement a more robust fall back that also handles asynchronous failures. For example, I could make the worker post an initial 'ready' message as soon as it is running and ready to receive messages: * If the main script receives an error event before it receives the 'ready' message, then I can assume that the worker failed to load and I should fall back to XHR + blob worker. * If an error event is received after the 'ready' message, then I can be sure that the worker failed during execution and I should handle it as a script error. Does this seem like a reasonable solution to you, or am I missing something?
Yup, that seems reasonable. It's a bit of a bummer that there's nothing like a 'load' event or a 'ready' event. But like you point out that can be implemented in application code.
A 'load' event would be nice indeed, but for now I'll just make it work in application code. Thanks for your input!
See Also: → 1919592
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: