New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 665356 link

Starred by 4 users
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
tyoshino@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task



Sign in to add a comment

CSP: Fire 'SecurityPolicyViolation' event in Workers.

Project Member Reported by mkwst@chromium.org, Nov 15 2016 
Currently, we're exiting `ContentSecurityPolicy::reportViolation` early if we're in a worker context. We should stop doing that.

See https://w3c.github.io/webappsec-csp/#violation-events.
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 17 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e597dade5ea41f95c5b50f564fbb1d77553c396b

commit e597dade5ea41f95c5b50f564fbb1d77553c396b
Author: mkwst <mkwst@chromium.org>
Date: Thu Nov 17 10:36:34 2016

CSP: Fire 'securitypolicyviolation' events in Workers.

Currently, we fire a violation event only if the violation occurs within
a document. We ought to fire the event for Workers as well. This patch
does so.

Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/VYhixsNgEHM/SilKZTYOAwAJ

BUG=665356

Review-Url: https://codereview.chromium.org/2500383002
Cr-Commit-Position: refs/heads/master@{#432835}

[modify] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/testharness-helper.js
[add] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/inside-dedicated-worker.html
[add] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/inside-service-worker.html
[add] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/inside-shared-worker.html
[add] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/resources/inside-worker.php
[modify] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/e597dade5ea41f95c5b50f564fbb1d77553c396b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Comment 2 by horo@chromium.org, Jul 21 2017

Components: Blink>Loader
The SecurityPolicyViolation events for "block-all-mixed-content" still occurs in a document.

Demo: https://horo-t.github.io/tmp/20170721/mixed_content_worker.html

--HTML--
<meta http-equiv="content-security-policy" content="block-all-mixed-content;">
<script>
window.addEventListener('securitypolicyviolation', () => {
  console.log('securitypolicyviolation event in window');
});
var worker = new Worker('./worker.js');
</script>
--------

--worker.js--
self.addEventListener('securitypolicyviolation', () => {
  console.log('securitypolicyviolation event in worker');
});

fetch('http://horo-t.github.io/');
-------------

Expected: "securitypolicyviolation event in worker" is printed in DevTools.
Actual: "securitypolicyviolation event in window" is printed in DevTools.

mkwst@
Is this an known issue?

CSPDirectiveList::AllowConnectToSource() is executed in the worker thread.
So the SecurityPolicyViolation events for "connect-src" occurs in the worker.
V8WorkerGlobalScopePartial::fetchMethodCallback()
 => WorkerGlobalScopePartialV8Internal::fetchMethod()
  => GlobalFetch::fetch()
   => FetchManager::Fetch()
    => FetchManager::Loader::Start()
     => ContentSecurityPolicy::AllowConnectToSource()
      => CSPDirectiveList::AllowConnectToSource()
       => CSPDirectiveList::CheckSourceAndReportViolation()
        => CSPDirectiveList::ReportViolation()
         => ContentSecurityPolicy::ReportViolation()

But ContentSecurityPolicy::ReportMixedContent() is executed in the main thread.
So the SecurityPolicyViolation events for "block-all-mixed-content" occurs in the main thread.

WorkerThreadableLoader::MainThreadLoaderHolder::CreateAndStart()
 => WorkerThreadableLoader::MainThreadLoaderHolder::Start()
  => DocumentThreadableLoader::Start()
   => DocumentThreadableLoader::DispatchInitialRequest()
    => DocumentThreadableLoader::LoadRequest()
     => DocumentThreadableLoader::LoadRequestAsync()
      => RawResource::Fetch()
       => ResourceFetcher::RequestResource()
        => ResourceFetcher::PrepareRequest()
         => BaseFetchContext::CanRequest()
          => BaseFetchContext::CanRequestInternal()
           => FrameFetchContext::ShouldBlockFetchByMixedContentCheck()
            => MixedContentChecker::ShouldBlockFetch()
             => ContentSecurityPolicy::ReportMixedContent()
              => CSPDirectiveList::ReportMixedContent()
               => ContentSecurityPolicy::ReportViolation()

Comment 3 by horo@chromium.org, Jul 21 2017

Cc: tyoshino@chromium.org

Comment 4 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

Comment 5 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 6 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment