Firefox Nightly Registers Service Worker in windows with insecure opener

UNCONFIRMED
Unassigned

Status

()

defect
P3
normal
UNCONFIRMED
2 years ago
2 years ago

People

(Reporter: msvr, Unassigned)

Tracking

(Blocks 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Steps to reproduce:

Repro steps
Go to http://pentest.azurewebsites.net/open.php?url=https%3A%2F%2Fshhnjk.azurewebsites.net%2Fsw.html
Click on window.open link.
Service worker is registered in non-secure context.


Actual results:

Firefox Nightly registers Service Worker in non-secure context


Expected results:

Register Service Worker in secure context.
(Reporter)

Comment 1

2 years ago
Acknowledgement:
Jun Kokatsu and Microsoft Vulnerability Research
Group: firefox-core-security → dom-core-security
Component: General → DOM: Service Workers
Product: Firefox → Core
We are compatible with chrome here at the moment.  There is some discussion as to whether we want an insecure opener to block the service worker from running on an https site.  For example, see bug 1341982.

John, what is our status on bug 1341982 and secure-context-with-insecure-opener?

Also, I'm not sure this needs to be a private bug or not.
Flags: needinfo?(jkt)
Sorry Ben, that bug is assigned to me however I haven't been working on it. I will ask if we want to prioritise this work going forward. The CSP work would likely fall into our teams work and we have people in the WebAppSec that can do spec work etc.

I think this is a known limitation that violates the specification with minimal security risk. :dveditz would be the ultimate decision maker on if it's security worthy however it was my understanding it was widely known.
Flags: needinfo?(jkt)
Daniel, can we open this bug up?  Per comment 2 and comment 3 this is a known spec issue and its unclear what the final desired outcome will be.  Also, we currently match behavior with chrome here.
Flags: needinfo?(dveditz)
Yes, unhiding the bug. The opener condition in the spec is unintuitive and non-reciprocal. We probably want to change the spec rather than our behavior.
Group: dom-core-security
Flags: needinfo?(dveditz)
Seems like something that needs to be fixed at the spec level first so P3.
Priority: -- → P3
Summary: Firefox Nightly Registers Service Worker in Non-Secure Context → Firefox Nightly Registers Service Worker in windows with insecure opener
You need to log in before you can comment on or make changes to this bug.