Would you mind checking in Canary? This should be resolved as of https://chromium-review.googlesource.com/c/chromium/src/+/741743, which landed on Thursday.

Not sure why your comments are being deleted. That is very strange. +awhalley@, who might be able to help?

You posted:

> Yes, this works on Canary too. Bug 582813 says it restricts
> secure<=>non-secure SharedWorker creation. But this bug is about
> Restrict non-secure<=>non-secure SharedWorker creation.

I think you might be misreading the HTML spec (which is reasonable, because the variable name is confusing). |isSecureContext| is a boolean, set in step 10. 11.4.2 compares the state of the settings object to that boolean. The intent is to allow non-secure to connect to non-secure, and secure to connect to secure, but not to allow mixed connections (secure<=>non-secure).

Does that make sense?

Your comment makes sense, but spec doesn't say to compare.
11.4.2 says:
If *Is environment settings object a secure context? on settings object* is not isSecureContext, then abort subsubsteps.

Which means (I think is) that whatever SharedWorkerGlobalScope object returned in 11.2 would't be connected to insecure context, no matter if SharedWorkerGlobalScope object itself is secure-context or not.

Firefox just does that.

I read that differently. |isSecureContext| is a variable, populated in step 10 with a bool representing the secure context state of the context that's calling the `SharedWorker` constructor. Let's say it's `http://vuln.shhnjk.com/`, which is not a secure context: |isSecureContext| will be set to `Not Secure` (per https://w3c.github.io/webappsec-secure-contexts/#settings-object).

Step 11.4.2 will run the same algorithm on the worker, and compare the result. Let's say the worker is `http://vuln.shhnjk.com/worker.js`, which is not a secure context: 11.4.1 will grab its settings object as |setting object|, 11.4.2 will compare "the result of executing Is environment settings object a secure context? on |settings object|" (`Not Secure`) with |isSecureContext| (`Not Secure`). They're the same, so no error event is fired.

Does Firefox fire an error event in this case? That's not what I see in FF56.

Firefox doesn't fire an error event...

// We are on same page that this returns "Not secure", let "Secure" be true and "Not secure" be false
var Is_environment_settings_object_a_secure_context = false;

// isSecureContext returns true if it's "Secure", otherwise false https://w3c.github.io/webappsec-secure-contexts/#monkey-patching-global-object
var isSecureContext = true;

// If *Is_environment_settings_object_a_secure_context* is not *isSecureContext*,
//then queue a task to fire an event named error at worker and abort these subsubsteps.
if(Is_environment_settings_object_a_secure_context != isSecureContext){
 alert("Error!!!");
}

WDYT?

Okay, you are right... My logic and programming skill sucks.

// We are on same page that this returns "Not secure".
var Is_environment_settings_object_a_secure_context = "Not Secure";

// isSecureContext returns true if it's "Secure", otherwise false https://w3c.github.io/webappsec-secure-contexts/#monkey-patching-global-object
function isSecureContext(context){
	if(context=="Secure"){
		return true;	
    }else{
		return false;
    }
}

// If *Is_environment_settings_object_a_secure_context* is not *isSecureContext*,
//then queue a task to fire an event named error at worker and abort these subsubsteps.
if(isSecureContext(Is_environment_settings_object_a_secure_context)){
 alert("Error!!!");
}

You can close the case :(

Oh, no! My programming skill sucks but logic might be okay!!!

// We are on same page that this returns "Not secure".
var Is_environment_settings_object_a_secure_context = "Not Secure";

// isSecureContext returns true if it's "Secure", otherwise false https://w3c.github.io/webappsec-secure-contexts/#monkey-patching-global-object
function isSecureContext(context){
	if(context=="Secure"){
		return true;	
    }else{
		return false;
    }
}

// If *Is_environment_settings_object_a_secure_context* is not *isSecureContext*,
//then queue a task to fire an event named error at worker and abort these subsubsteps.
if(!isSecureContext(Is_environment_settings_object_a_secure_context)){
 alert("Error!!!");
}

I'm not sure if we're on the same page or not, so, let me spell out my understanding below. I think you may still be confusing a variable named "isSecureContext" with the question "is X a secure context":

```
// Step 10: "Let |isSecureContext| be the result of executing
// **Is environment settings object a secure context?** on
// |outside settings|."
var isSecureContext = "Not Secure";

// Step 11.4.2: "If the result of executing **Is environment
// settings object a secure context?** on |settings object|...
var is_worker_a_secure_context = "Not Secure";

// ... is not |isSecureContext|, then queue a task to fire
// an event named error
if (is_worker_a_secure_context != isSecureContext) { 
  // error.
}
```

I continue not to understand how Chrome's behavior differs from Firefox's here. It looks the same to me?

OK!!!! I got it now. Sorry, I was totally wrong. So this seess to be a Firefox bug.

>I continue not to understand how Chrome's behavior differs from Firefox's here. It looks the same to me?

Open http://vuln.shhnjk.com/2.html on 2 tabs, click stop on one tab. Chrome tops both tabs, Firefox only stops one tab.


You can close the case :) Thanks for the explanation.

:) Thanks!

(Sent out https://github.com/whatwg/html/pull/3243 against the HTML spec in the hopes of cleaning up that language.)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot