Open Bug 1768052 Opened 3 years ago Updated 1 year ago

Flaky Security Error: Content at https://domain may not load data from blob:https//domain

Categories

(Core :: DOM: Workers, defect, P3)

Product:
Core
Component:
DOM: Workers
Version:
Firefox 100
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jason, Unassigned)

Details

(Whiteboard: dom-lws-bugdash-triage)

Steps to reproduce:

This repro is only happens ~25% of the time given its a flake.

Go to https://coda.io/@kennywong/otf and wait ~2 minutes

I'm also changing our production code so hopefully this won't repro in about 24-72 hours.

Here is a snipet of the code that is a problem

  try {
      const content = await HttpClient.getInstance().get(jsPath, {
        headers: {Accept: null},
        responseType: 'arraybuffer',
      });
      blobUrl = win.URL.createObjectURL(new Blob([content]));
      this.worker = new (win as any).Worker(jsUrl);
      this.worker!.onmessage = ee => this._onMessage(ee);
    } catch (err: any) {
      this.setFatalError(WorkerErrorType.Init, err);
      // Note the finally block always executes after this return statement but the rest of this function will not.
      return;
    } finally {
      if (blobUrl) {
        win.URL.revokeObjectURL(blobUrl);
      }
    }

I'm fairly confident that the problem is when the revokeObjectURL runs the Worker startup is not done with it. It seems like there should be some API to know when the Worker is actually done with the blob. I'm also guessing that the Security Error really means the blob is now missing / gone since loading content from your own domain doesn't really seem like a security issue.

Our logs indicate this happens much more frequently on Firefox, but it may happen on Chrome as well. I was not able to get a repro on Chrome and was quickly able to on Firefox.

I plan to change our production code to move the revokeObjectUrl into a timeout to be run later to hopefully avoid the issue, but figured I'd try to report it as well.

Actual results:

Security Error: Content at https://coda.io/@kennywong/otf may not load data from blob:https://coda.io/25edf896-dc61-4242-9cfe-473884972c9a.

When this error throws the Worker never starts up.

Expected results:

No security error and Worker starts

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Component: DOM: Security → DOM: Core & HTML

Sounds like the approach of the code is something wrong, and I see some warnings in the console about CSP.

Anyway, Worker could be related. Moving the component.

Component: DOM: Core & HTML → DOM: Workers
Severity: -- → S3
Priority: -- → P3
Whiteboard: dom-lws-bugdash-triage
You need to log in before you can comment on or make changes to this bug.