Closed Bug 964276 Opened 6 years ago Closed 5 years ago
Workers loaded from blob URIs don't work with any 'script-src' CSP set
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 Steps to reproduce: Set CSP header. Created blob from source. Created web worker Actual results: Error: Failed to load script: blob:9647f5e4-fba4-4204-b1d3-36b9534c464f (nsresult = 0x805e0006) Expected results: Worker should load.
Summary: Workers loaded from blob URIs do work with any 'script-src' CSP set → Workers loaded from blob URIs don't work with any 'script-src' CSP set
With the directive: > script-src * 'unsafe-inline' the worker script is executed. However with just * or 'unsafe-inline' it's not. This behavior is consistent with Chrome. We diverge from chrome in that > script-src 'self' 'unsafe-inline' works on Chrome, but not us. I think this treatement of blobs as same-origin or not differs in multiple places though.
Assignee: nobody → deian
Status: UNCONFIRMED → NEW
Ever confirmed: true
Deian: what info do you seek? I don't see a question in Comment 1.
Component: Security → DOM: Security
Flags: needinfo?(sstamm) → needinfo?(deian)
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2) > Deian: what info do you seek? I don't see a question in Comment 1. Is this the behavior that we want? That is, should blobs be considered of a different origin from the scripts creating them? As far as I can tell, the File API spec does not say anything about this, so we should also clarify there.
We hit this today at Facebook after turning on CSP for modern versions of Firefox (it had only been on for older versions). We ended up turning off CSP on affected pages. This can be tricky to track down at first down since it doesn't trigger a Content Security Policy error/explanation in the console; just the "Failed to load script" console error.
I think this is a question for the working group if it's not clear in the spec. The blob URIs have a different scheme than the protected document, so if "blob:" isn't allowed by the CSP, it'll be blocked. Same for data: URIs, so IMO this is working as intended.
It appears Firefox's current solution is a blob: source-expression . Tested and confirmed on FF28. 1 http://lists.w3.org/Archives/Public/public-webappsec/2013Aug/0070.html
Based on the clarification to the spec, Firefox is doing the right thing, so I'm marking this as resolved. http://lists.w3.org/Archives/Public/public-webappsec/2014Apr/0021.html
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.