New issue
Advanced search Search tips

Issue 702396 link

Starred by 1 user
Status: WontFix
Owner:
elawrence@chromium.org
Closed: Apr 2017
Cc:
clamy@chromium.org
horo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug
Team-Security-UX

Blocking:
issue 702001


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

ServiceWorker PopulateURLResponse does not populate security info if DevTools is attached

Project Member Reported by elawrence@chromium.org, Mar 16 2017 
Chrome Version: 59.0.3042.0

What steps will reproduce the problem?
(1) Visit a site with a ServiceWorker (e.g. Twitter)
(2) Open DevTools > Security and click through the Origin list on the left

Problem: Any Origin whose first response went through a ServiceWorker shows no security information.

The root cause appears to be this TODO item in service_worker_context_client.cc

// TODO(horo): Set report_security_info to true when DevTools is attached. 
const bool report_security_info = false; 
WebURLLoaderImpl::PopulateURLResponse(url_, response_head, response_.get(), report_security_info);

Comment 1 by horo@chromium.org, Apr 18 2017

Cc: clamy@chromium.org horo@chromium.org
Labels: Needs-Feedback Proj-PlzNavigate
Owner: elawrence@chromium.org
I think this is not a bug of PlzNavigate, not ServiceWorker.

This code is executed in the service worker thread when the service worker receives the NavigationPreload response.
Currently Twitter doesn't use the NavigationPreload feature yet.
So the code must not executed while you are visiting Twitter.

I tested in 59.0.3067.0 by enabling/disabling PlzNavigate without ServiceWorker.

1. PlzNavigate disabled
1.1 Start Chrome with "--disable-features=browser-side-navigation" flag.
1.2 Go https://horo-t.github.io/
1.3 Open DevTools > Security tab
1.4 Reload the page.
1.5 We can see the security information about the origin.

2. PlzNavigate enabled
2.1 Start Chrome with "--enable-features=browser-side-navigation" flag.
2.2 Go https://horo-t.github.io/
2.3 Open DevTools > Security tab
2.4 Reload the page.
2.5 No security information about the origin.


And also I verified that the security information is available even if the page is using NavigationPreload.

3.1 Start Chrome with "--disable-features=browser-side-navigation" flag.
3.2 Go https://horo-test.appspot.com/navigationpreload/demo/
3.3 Click "Register SW"
3.4 Click "test" link
3.3 Open DevTools > Security tab
3.4 Reload the page.
3.5 We can see the security information about the origin.


elawrence@
Could you please check using those flags?

Comment 2 by horo@chromium.org, Apr 18 2017 

s/I think this is not a bug of PlzNavigate, not ServiceWorker./I think this is a bug of PlzNavigate, not ServiceWorker./

Comment 3 by elawrence@chromium.org, Apr 18 2017 

It could well be the case that a Twitter-specific repro is caused by something else, but am I correct in understanding that the TODO: identified in comment #0 represents another scenario where the information would be missing? Or is the TODO incorrect and that codepath would never cause such a problem?

Comment 4 by horo@chromium.org, Apr 19 2017 

I think there is no problem.

SecurityPanel.js in DevTools calls getCertificate(origin, mycallback) of all attached NetworkAgents.
InspectorNetworkAgent::getCertificate() lookups an origin matching resource in all resources of the page (and sw).

The origin of NavigationPreload response must same as the page's origin.
So even if we don't set the security_info of the NavigationPreload response, DevTools can show the origin's security info.

Comment 5 by horo@chromium.org, Apr 19 2017

Status: WontFix (was: Assigned)
Filed an  issue 713203  for PlzNavigate.

Sign in to add a comment