New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 777149 link

Starred by 1 user
Status: Assigned
Owner:
falken@chromium.org
Cc:
kinuko@chromium.org
jsb...@chromium.org
pwnall@chromium.org
michaeln@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

AppCache can fallback beyond SW's scope

Reported by s.h.h.n....@gmail.com, Oct 21 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/images/pwa.html (SW registration)
2. Go to https://test.shhnjk.com/images/appca.html (AppCache registration)
3. Now go to https://test.shhnjk.com/image and observe fallback from Appcache

What is the expected behavior?
AppCache fallback is disabled since AppCache's registration page, manifest file, and fallback file are all under the scope of Service Worker.

What went wrong?
AppCache fallback triggers when user navigates beyond SW's scope.

Did this work before? N/A 

Chrome version: 62.0.3202.62  Channel: stable
OS Version: OS X 10.13.0
Flash Version:

Comment 1 by elawrence@chromium.org, Oct 22 2017

Components: Blink>ServiceWorker Blink>Storage>AppCache
Labels: OS-Android OS-Chrome OS-Linux OS-Windows

Comment 2 by palmer@chromium.org, Oct 31 2017

Cc: kinuko@chromium.org michaeln@chromium.org jsb...@chromium.org
Labels: OS-Fuchsia
Owner: falken@chromium.org
Status: Assigned (was: Unconfirmed)
falken, any chance you could take a look at this, or pick a better person to handle it? Thanks!

Also, I'm not entirely sure what the security implications of this would be. It would certainly seem likely to lead to unexpected app behavior, but not necessarily to enable any attacks. However, I am not an expert in this area, obviously.

Please feel free to CC anyone else on this bug who can help! Thanks, all.

Comment 3 by falken@chromium.org, Oct 31 2017 

jsbell: Can you help look at this? I am not really familiar with AppCache.

This does not sound like a security bug though? Even if we are doing something weird mixing AppCache and service workers, everything is coming from the same-origin.

Finally is this bug different to issue 410665? Seems similar if not the same.

Comment 4 by s.h.h.n....@gmail.com, Oct 31 2017 

issue 410665 only suggests when manigest navigation is covered by SW's scope. This issue is about manifest navigation which is beyound SW's scope, but all fallbacks and caches are in scope of SW.

Comment 5 by jsb...@chromium.org, Oct 31 2017

Cc: pwnall@chromium.org
+pwnall@ (I'll be OOO for a bit)

Comment 6 by vakh@chromium.org, Nov 2 2017

Labels: Security_Impact-Stable
pwnall -- can you please take a look at this security bug? thanks.

Comment 7 by falken@chromium.org, Nov 2 2017 

I still don't really think it's a security bug. Scope isn't a hard security boundary, only origins are.

Comment 8 by est...@chromium.org, Nov 7 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Stable Security_Impact-None Type-Bug
I agree with comment 7, removing security labels

Sign in to add a comment