CSP isn't applied to Service Workers correctly in Chrome.
Reported by
codingma...@gmail.com,
Nov 3 2017
|
|||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36 Steps to reproduce the problem: I think this issue is strongly related to issue 579801 . Issue 579801 has been fixed in this revision https://chromium.googlesource.com/chromium/src.git/+/5289a5d4c98681e9a0f2d28da0c7aa35e282db57 However, it seems that this issue is reintroduced. I reproduce it in the latest chrome stable release. Download the attachments provided below and visit index.html. (Due to secure policy in chrome, ServiecWorker cannot be loaded in http:// and I don't have a https://, or you can visit the website provided by the submitter of issue 579801 , https://blazing-fire-305.firebaseapp.com/) There exists various tests with descriptions of the expected outcomes according to the CSP specification. > The HTTP Content-Security-Policy (CSP) worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive). Chrome failed the first test in which 'default-src' is set to none, and alse failed the second in which 'child-src' is set to a different origin. I am expecting to see CSP errors in the console rather than 'offline worker registered'. In the latest FireFox the CSP error is triggered when loading the first and the second test. What is the expected behavior? What went wrong? CSP isn't applied to Service Workers correctly in Chrome. Did this work before? Yes Chrome version: 62.0.3202.75 Channel: stable OS Version: OS X 10.12.6 Flash Version:
,
Nov 3 2017
,
Nov 4 2017
,
Nov 4 2017
,
Nov 6 2017
,
Nov 10 2017
,
Nov 17 2017
andypaicu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 21 2017
mkwst: I bisected on the demo site https://blazing-fire-305.firebaseapp.com/ using the "Basic policy with no frame or child src. - expected errors" test. And the result was: $ python tools/bisect-builds.py -a linux64 -g 386251 -b 516552 -- --no-first-run https://blazing-fire-305.firebaseapp.com/ ... You are probably looking for a change made after 458025 (known good), but no later than 458026 (first known bad). CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/ba21ffd704aebcc8a5e5e1ab1f072e9b79b51fcb..d8cc69507968d87cea7eeefc39c0dae78f960879 The change is: d8cc695 CSP: Move 'worker-src' onto 'script-src' by mkwst ยท 8 months ago Which might mean this was an intentional change to the CSP API and this is WAI?
,
Nov 21 2017
FWIW that change was in 59.0.3047.0.
,
Nov 21 2017
Yes. This is an intentional change to the CSP API. I referred to the latest published CSP draft(https://www.w3.org/TR/2016/WD-CSP3-20160913/), not the latest editor draft, which leads to this misunderstanding. Thanks for the clarification!
,
Nov 21 2017
,
Nov 22 2017
mkwst: Do you agree we can close this?
,
Nov 22 2017
Sure.
,
Dec 1 2017
mkwst: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 7 2017
,
Jan 25 2018
,
Jan 26 2018
Oops, this slipped by attention. Closing as WontFix per comments.
,
May 4 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by elawrence@chromium.org
, Nov 3 2017Components: Blink>ServiceWorker Blink>SecurityFeature