Open
Bug 1467454
Opened 6 years ago
Updated 2 years ago
cross-origin stylesheet load without "crossorigin" attribute treats service worker synthesized CORS response as opaque
Categories
(Core :: DOM: Service Workers, enhancement, P2)
Core
DOM: Service Workers
Tracking
()
NEW
People
(Reporter: bkelly, Unassigned)
References
(Blocks 1 open bug)
Details
Chrome is writing a WPT test for loading style sheets with service workers. They found an unexpected issue in firefox:
https://bugs.chromium.org/p/chromium/issues/detail?id=848786#c12
The test is basically doing:
<link href="cross-origin-css.css?cors" rel="stylesheet" type="text/css">
Which initiates a cross-origin no-cors load for the stylesheet from the outer document. The service worker then does:
const use_cors =
(url.searchParams.has('cors'));
if (file == 'cross-origin-css.css') {
let fetch_url = REMOTE_ORIGIN + BASE_PATH + CSS_FILE;
const mode = use_cors ? 'cors' : 'no-cors';
event.respondWith(fetch(fetch_url, {'mode': mode}));
}
So the service worker is responding with a "cors" response.
The fetch spec says to use the exact response provided by the service worker:
https://fetch.spec.whatwg.org/#http-fetch
We implemented this in bug 1369862.
Also, the CSSOM spec says that the stylesheet should look at the tainting of the response it received in step 10 here:
https://drafts.csswg.org/cssom/#requirements-on-user-agents-implementing-the-http-link-header
It seems that the stylesheet loader probably needs to be updated to use the nsILoadInfo::GetTainting() value instead of computing its own cross-origin tainting value.
|
||
Comment 1•6 years ago
|
||
The chromium bug is not accessible with default privs, so if you can provide the current path of the future WPT test or link to their uplift issue when that happens, that would be helpful.
|
||
Updated•6 years ago
|
Priority: -- → P2
|
Reporter | |
Comment 2•6 years ago
|
||
The WPT tests landed upstream a week or so ago. WPT sync is in bug 1467542.
Depends on: 1467542
|
||
Comment 3•6 years ago
|
||
I'd like to take this bug.
Assignee: nobody → shes050117
Status: NEW → ASSIGNED
|
|
||
Comment 4•6 years ago
|
||
It seems that I'm not active at this bug, so remove the assignee.
I suspect that we might want to update the value of GetCORSMode() by getting the "tainting" from the channel so that we can bypass the check in the style sheet [1]. However, I didn't have time to check that.
[1] https://searchfox.org/mozilla-central/rev/de7676288a78b70d2b9927c79493adbf294faad5/layout/style/StyleSheet.cpp#718-724
Assignee: shes050117 → nobody
Status: ASSIGNED → NEW
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•