Closed Bug 964276 Opened 6 years ago Closed 5 years ago

Workers loaded from blob URIs don't work with any 'script-src' CSP set


(Core :: DOM: Security, defect)

28 Branch
Windows 7
Not set





(Reporter: pfrazee, Unassigned)


(Blocks 1 open bug)



(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36

Steps to reproduce:

Set CSP header.
Created blob from source.
Created web worker

Actual results:

Error: Failed to load script: blob:9647f5e4-fba4-4204-b1d3-36b9534c464f (nsresult = 0x805e0006)

Expected results:

Worker should load.
Component: General → Security
Summary: Workers loaded from blob URIs do work with any 'script-src' CSP set → Workers loaded from blob URIs don't work with any 'script-src' CSP set
Attached file worker.html
With the directive:

> script-src * 'unsafe-inline'

the worker script is executed. However with just * or 'unsafe-inline' it's not. This behavior is consistent with Chrome. We diverge from chrome in that

> script-src 'self' 'unsafe-inline'

works on Chrome, but not us. I think this treatement of blobs as same-origin or not differs in multiple places though.
Assignee: nobody → deian
Ever confirmed: true
Flags: needinfo?(sstamm)
Assignee: deian → nobody
Deian: what info do you seek?  I don't see a question in Comment 1.
Blocks: CSP
Component: Security → DOM: Security
Flags: needinfo?(sstamm) → needinfo?(deian)
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2)
> Deian: what info do you seek?  I don't see a question in Comment 1.

Is this the behavior that we want? That is, should blobs be considered
of a different origin from the scripts creating them? As far as I can
tell, the File API spec does not say anything about this, so we should
also clarify there.
Flags: needinfo?(deian)
We hit this today at Facebook after turning on CSP for modern versions of Firefox (it had only been on for older versions). We ended up turning off CSP on affected pages. This can be tricky to track down at first down since it doesn't trigger a Content Security Policy error/explanation in the console; just the "Failed to load script" console error.
I think this is a question for the working group if it's not clear in the spec.  The blob URIs have a different scheme than the protected document, so if "blob:" isn't allowed by the CSP, it'll be blocked.  Same for data: URIs, so IMO this is working as intended.
It appears Firefox's current solution is a blob: source-expression [1]. Tested and confirmed on FF28.

Based on the clarification to the spec, Firefox is doing the right thing, so I'm marking this as resolved.
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.