Closed
Bug 964276
Opened 10 years ago
Closed 10 years ago
Workers loaded from blob URIs don't work with any 'script-src' CSP set
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: pfrazee, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
426 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 Steps to reproduce: Set CSP header. Created blob from source. Created web worker Actual results: Error: Failed to load script: blob:9647f5e4-fba4-4204-b1d3-36b9534c464f (nsresult = 0x805e0006) Expected results: Worker should load.
Summary: Workers loaded from blob URIs do work with any 'script-src' CSP set → Workers loaded from blob URIs don't work with any 'script-src' CSP set
Comment 1•10 years ago
|
||
With the directive: > script-src * 'unsafe-inline' the worker script is executed. However with just * or 'unsafe-inline' it's not. This behavior is consistent with Chrome. We diverge from chrome in that > script-src 'self' 'unsafe-inline' works on Chrome, but not us. I think this treatement of blobs as same-origin or not differs in multiple places though.
Assignee: nobody → deian
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(sstamm)
Updated•10 years ago
|
Updated•10 years ago
|
Assignee: deian → nobody
Comment 3•10 years ago
|
||
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2) > Deian: what info do you seek? I don't see a question in Comment 1. Is this the behavior that we want? That is, should blobs be considered of a different origin from the scripts creating them? As far as I can tell, the File API spec does not say anything about this, so we should also clarify there.
Flags: needinfo?(deian)
Comment 4•10 years ago
|
||
We hit this today at Facebook after turning on CSP for modern versions of Firefox (it had only been on for older versions). We ended up turning off CSP on affected pages. This can be tricky to track down at first down since it doesn't trigger a Content Security Policy error/explanation in the console; just the "Failed to load script" console error.
Comment 5•10 years ago
|
||
I think this is a question for the working group if it's not clear in the spec. The blob URIs have a different scheme than the protected document, so if "blob:" isn't allowed by the CSP, it'll be blocked. Same for data: URIs, so IMO this is working as intended.
It appears Firefox's current solution is a blob: source-expression [1]. Tested and confirmed on FF28. 1 http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0070.html
Comment 7•10 years ago
|
||
Based on the clarification to the spec, Firefox is doing the right thing, so I'm marking this as resolved. http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•