Issue metadata
Sign in to add a comment
|
Cannot create web workers when using suborigins
Reported by
mmi...@gmail.com,
Jan 21 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 Example URL: http://mockbin.org/bin/b582df19-fb74-44e2-ae74-dab25bfda779 Steps to reproduce the problem: When site is served with a suborigin and you want to create a web worker on such site, with a script from the same suborigin, there is an invalid security error that the origins do not match. Example: b582df19-fb74-44e2-ae74-dab25bfda779:3 Uncaught SecurityError: Failed to construct 'Worker': Script at 'http://mockbin.org/bin/32b5ebab-bafb-4b7d-8045-0a89800fead5' cannot be accessed from origin 'http://foobar_mockbin.org'. What is the expected behavior? That web worker is created normally. What went wrong? The error is thrown: b582df19-fb74-44e2-ae74-dab25bfda779:3 Uncaught SecurityError: Failed to construct 'Worker': Script at 'http://mockbin.org/bin/32b5ebab-bafb-4b7d-8045-0a89800fead5' cannot be accessed from origin 'http://foobar_mockbin.org'. For the example URL: http://mockbin.org/bin/b582df19-fb74-44e2-ae74-dab25bfda779 Does it occur on multiple sites: Yes Is it a problem with a plugin? No Did this work before? N/A Does this work in other browsers? N/A Chrome version: Version 50.0.2627.0 canary (64-bit) Channel: canary OS Version: OS X 10.10 Flash Version:
,
Jan 22 2016
Ah, workaround does not work when using suborigins. Only when you do not. Examples follow. With CSP directives, but no suborigins, web worker works (in console you get "worker loaded"): http://mockbin.org/bin/97b9e029-e035-4efe-9181-daa5ddd2ae94/view With CSP directives and suborigins, web worker does not work: http://mockbin.org/bin/529e339f-4433-4e86-b3a0-c14fd68186e4/view With suborigins only, web worker does not work: http://mockbin.org/bin/4afd3547-6706-47eb-a11f-e1d62658e313/view Without any CSP directives, web worker works: http://mockbin.org/bin/94d0a389-2b4f-406b-8c1e-10c4d55916d8/view Example error: Uncaught SecurityError: Failed to construct 'Worker': Script at 'blob:http%3A//foobar_mockbin.org/484fa8d7-f7f7-490d-ac9c-f0aa1a13652d' cannot be accessed from origin 'http://foobar_mockbin.org'.
,
Jan 22 2016
,
Jan 22 2016
,
Jan 22 2016
So it seems there are two problems here: blob URLs do not work anymore inside suborigins. And same origin does not work inside.
The reason is probably the check:
if (!executionContext()->securityOrigin()->canRequestNoSuborigin(scriptURL)) {
It does not allow only requests when not in suborigin. This is a bit too strict, no?
,
Jan 22 2016
BTW, this is a blocker for one project we are working on. :-(
,
Jan 23 2016
There are two places where this is blocked. In third_party/WebKit/Source/core/workers/AbstractWorker.cpp, there is a check which prevents any request from suborigin. And in third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp, loadAsynchronously call has DenyCrossOriginRequests, which seems to be too restrictive about suborigins. Changing it to AllowCrossOriginRequests makes things work, but this is probably too broad. Probably DenyCrossOriginRequests should be changed so that it allows suborigins.
,
Jan 26 2016
,
Apr 7 2017
,
Nov 10 2017
,
Feb 2 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmi...@gmail.com
, Jan 21 2016Workaround: > var blob = new Blob(['importScripts("http://mockbin.org/bin/32b5ebab-bafb-4b7d-8045-0a89800fead5")'], {type: 'application/javascript'}); > new Worker(URL.createObjectURL(blob)); > worker loaded