Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 483458 Enforce referrer policy for workers
Starred by 1 user Project Member Reported by est...@chromium.org, May 1 2015 Back to list
Status: Fixed
Owner:
Closed: May 2015
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment
Workers now have their own CSPs, so the Content-Security-Policy served with a worker script is enforced for that worker... for everything except referrer policies. We should enforce referrer policies for workers by using the worker's policy instead of the default referrer policy to generate the referrer for resource loads from workers.
 
Project Member Comment 1 by bugdroid1@chromium.org, May 4 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=194885

------------------------------------------------------------------
r194885 | estark@chromium.org | 2015-05-04T19:48:59.548794Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ExecutionContext.h?r1=194885&r2=194884&pathrev=194885
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/echo-referrer-header.php?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.cpp?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/frame/csp/ContentSecurityPolicy.cpp?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.h?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/WorkerThreadableLoader.cpp?r1=194885&r2=194884&pathrev=194885
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/referrer-policy-worker-has-referrer.html?r1=194885&r2=194884&pathrev=194885
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/referrer-policy-worker-no-referrer.html?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ExecutionContext.cpp?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/WorkerThreadableLoader.h?r1=194885&r2=194884&pathrev=194885
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.php?r1=194885&r2=194884&pathrev=194885

Enforce referrer policies for workers

When requesting a resource on behalf of a worker, use the worker's
referrer policy instead of the default.

This CL does three things:
1. Move the referrer policy from Document to ExecutionContext, so that
other contexts (i.e. WorkerGlobalScope) get referrer policies too.
2. When binding a CSP to an ExecutionContext, set the referrer policy
for all types of contexts, not just Document.
3. When setting up a MainThreadBridge to load a resource from a worker,
use the worker's referrer policy to generate the referrer for the
request, instead of always using the default referrer policy.

Added layout tests to check that workers can have a referrer policy
different from the document's.

BUG= 483458 

Review URL: https://codereview.chromium.org/1117203002
-----------------------------------------------------------------
Project Member Comment 2 by bugdroid1@chromium.org, May 18 2015
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=195470

------------------------------------------------------------------
r195470 | estark@chromium.org | 2015-05-18T17:50:30.445304Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp.html?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/referrer-policy-worker-has-referrer.html?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/workers/WorkerScriptLoaderClient.h?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/Source/web/WebSharedWorkerImpl.cpp?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/workers/InProcessWorkerBase.cpp?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.php?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/Source/web/WebSharedWorkerImpl.h?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/workers/InProcessWorkerBase.h?r1=195470&r2=195469&pathrev=195470
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/shared-worker-make-xhr.js?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html?r1=195470&r2=195469&pathrev=195470
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/core.gypi?r1=195470&r2=195469&pathrev=195470
   A http://src.chromium.org/viewvc/blink/trunk/Source/core/workers/WorkerScriptLoaderClient.cpp?r1=195470&r2=195469&pathrev=195470

Give shared workers their own content security policies

This CL assigns shared workers the CSP that was served when the script
was fetched. Code to handle the CSP when loading a worker is now on the
WorkerScriptLoaderClient base class instead of just on
InProcessWorkerBase (where it was previously located to handle CSP for
dedicated workers).

BUG= 474872 , 483458 

Review URL: https://codereview.chromium.org/1128813003
-----------------------------------------------------------------
Comment 3 by est...@chromium.org, May 18 2015
Status: Fixed
Sign in to add a comment