New issue
Advanced search Search tips

Issue 580320 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 336894
Owner:
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Cannot create web workers when using suborigins

Reported by mmi...@gmail.com, Jan 21 2016

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0

Example URL:
http://mockbin.org/bin/b582df19-fb74-44e2-ae74-dab25bfda779

Steps to reproduce the problem:
When site is served with a suborigin and you want to create a web worker on such site, with a script from the same suborigin, there is an invalid security error that the origins do not match. Example:

b582df19-fb74-44e2-ae74-dab25bfda779:3 Uncaught SecurityError: Failed to construct 'Worker': Script at 'http://mockbin.org/bin/32b5ebab-bafb-4b7d-8045-0a89800fead5' cannot be accessed from origin 'http://foobar_mockbin.org'.

What is the expected behavior?
That web worker is created normally.

What went wrong?
The error is thrown:

b582df19-fb74-44e2-ae74-dab25bfda779:3 Uncaught SecurityError: Failed to construct 'Worker': Script at 'http://mockbin.org/bin/32b5ebab-bafb-4b7d-8045-0a89800fead5' cannot be accessed from origin 'http://foobar_mockbin.org'.

For the example URL: http://mockbin.org/bin/b582df19-fb74-44e2-ae74-dab25bfda779

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? N/A 

Does this work in other browsers? N/A 

Chrome version: Version 50.0.2627.0 canary (64-bit)  Channel: canary
OS Version: OS X 10.10
Flash Version:
 

Comment 1 by mmi...@gmail.com, Jan 21 2016

Workaround:

> var blob = new Blob(['importScripts("http://mockbin.org/bin/32b5ebab-bafb-4b7d-8045-0a89800fead5")'], {type: 'application/javascript'});
> new Worker(URL.createObjectURL(blob));
> worker loaded

Comment 2 by mmi...@gmail.com, Jan 22 2016

Ah, workaround does not work when using suborigins. Only when you do not. Examples follow.

With CSP directives, but no suborigins, web worker works (in console you get "worker loaded"):

http://mockbin.org/bin/97b9e029-e035-4efe-9181-daa5ddd2ae94/view

With CSP directives and suborigins, web worker does not work:

http://mockbin.org/bin/529e339f-4433-4e86-b3a0-c14fd68186e4/view

With suborigins only, web worker does not work:

http://mockbin.org/bin/4afd3547-6706-47eb-a11f-e1d62658e313/view

Without any CSP directives, web worker works:

http://mockbin.org/bin/94d0a389-2b4f-406b-8c1e-10c4d55916d8/view

Example error:

Uncaught SecurityError: Failed to construct 'Worker': Script at 'blob:http%3A//foobar_mockbin.org/484fa8d7-f7f7-490d-ac9c-f0aa1a13652d' cannot be accessed from origin 'http://foobar_mockbin.org'.
Labels: TE-NeedsFurtherTriage

Comment 4 by jww@chromium.org, Jan 22 2016

Labels: -OS-Mac -TE-NeedsFurtherTriage OS-All Cr-Blink-SecurityFeature
Owner: jww@chromium.org
Status: Assigned

Comment 5 by mmi...@gmail.com, Jan 22 2016

So it seems there are two problems here: blob URLs do not work anymore inside suborigins. And same origin does not work inside.

The reason is probably the check:

if (!executionContext()->securityOrigin()->canRequestNoSuborigin(scriptURL)) {

It does not allow only requests when not in suborigin. This is a bit too strict, no?

Comment 6 by mmi...@gmail.com, Jan 22 2016

BTW, this is a blocker for one project we are working on. :-(

Comment 7 by mmi...@gmail.com, Jan 23 2016

There are two places where this is blocked. In third_party/WebKit/Source/core/workers/AbstractWorker.cpp, there is a check which prevents any request from suborigin. And in third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp, loadAsynchronously call has DenyCrossOriginRequests, which seems to be too restrictive about suborigins. Changing it to AllowCrossOriginRequests makes things work, but this is probably too broad. Probably DenyCrossOriginRequests should be changed so that it allows suborigins.
Labels: -Cr-Blink
Owner: jochen@chromium.org
Labels: Hotlist-EnamelAndFriendsFixIt
Mergedinto: 336894
Status: Duplicate (was: Assigned)

Sign in to add a comment