Closed Bug 1490171 Opened Last year Closed Last year

Web Worker data URI CSP bypass

Categories

(Core :: DOM: Security, defect)

62 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1490165

People

(Reporter: francois.lajeunesse.robert, Unassigned)

Details

Attachments

(1 file)

1.29 KB, application/x-javascript
Details
Attached file code.js
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180830143136

Steps to reproduce:

When a Web worker (either Worker or SharedWorker) is loaded from a data URI and with a Content-Security-Policy of its owner document set to "default-src 'self' data:" (see https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#Content_security_policy) the CSP could be bypassed by either calling the following :
 - setTimeout 
 - setInterval
 - eval
 - new Function
 - importScripts


Actual results:

The attached code.js is a POC showing that the CSP could be bypass when either a Worker or SharedWorker is loaded from a data URI with Content-Security-Policy of its owner document set to "default-src 'self'.


Expected results:

The CSP should have blocked the execution of 
 - setTimeout 
 - setInterval
 - eval
 - new Function
 - importScripts
like for blob URI as per the documentation.
Group: firefox-core-security
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
In the actual results section the sentence « [...] Content-Security-Policy of its owner document set to "default-src 'self' » should have been « [...] Content-Security-Policy of its owner document set to "default-src 'self' data:"»
This is probably a dupe of bug 1490165 -- much more likely "not enforcing eval() restrictions in workers" generally than there are two bugs specific to the type of URL that just happen to have the same result.
Depends on: 1490165
No longer depends on: 1490165
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → DUPLICATE
Duplicate of bug: 1490165
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.