Open
Bug 1491119
Opened 6 years ago
Updated 2 years ago
Service Worker Registration can be done on another origin by a rogue Content Process
Categories
(Core :: DOM: Service Workers, enhancement, P3)
Core
DOM: Service Workers
Tracking
()
NEW
Fission Milestone | Future |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
Every method in https://searchfox.org/mozilla-central/source/dom/serviceworkers/PServiceWorkerContainer.ipdl accepts a IPCClientInfo struct, which contains a principal. This principal is used to determine what origin to operate on.
A rogue Content Process can specify whatever principal they like, and this appears to allow one to register service workers for another origin.
We could validate the Principal specified in the struct, but it seems like it may be better to have this actor be constructed with the principal already specified from a trusted value in the Parent Process.
Updated•6 years ago
|
Priority: -- → P3
Reporter | ||
Comment 1•6 years ago
|
||
This also looks like the case in:
- PBackground.ipdl::PServiceWorker and PBackground.ipdl::PServiceWorkerRegistration
- netwerk/ipc/NeckoChannelParams.ipdlh's controller property
- The 'Claim' mechanism of Service Workers (the principal used in ClientManagerService::Claim seems to content-process-controlled)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•