Issue metadata
Sign in to add a comment
|
Security: Registering a Service Worker with all rights, no https require.
Reported by
heienbro...@gmail.com,
Jun 19 2018
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS It is possible ro register a service worker with all rights, to do this a https connection is not required. VERSION Chrome Version: 67.0.3396.87 (Offizieller Build) (64-Bit) (cohort: Stable) Operating System: Windows 10 / 64 bit / current version REPRODUCTION CASE To register the Service Worker its require 3 steps. 1. Fake a SSL certificate (A simple self create is enough, like a creation with your local xampp). 2. Navigate the user to your https version of the website. Try to register the Service Worker. Chrome will stop the attempt and issue an error message on the console. When we try to access the service worker, we get a reference error. 3. Redirect the user to the http version of the website and try again the regestration. This will be work fine and now it is possible to post messages to the Service Worker.
,
Jun 26 2018
falken@, can you please triage. If not a bug, please WontFix.
,
Jun 27 2018
If this works, it's a bug. heienbrockjannis, can you provide a POC? Also can you try in Chrome 69? We've recently changed it so navigator.serviceWorker is not even exposed on HTTP sites.
,
Jun 27 2018
Please excuse the late reply, I did not have that much time lately. I'll do another test tomorrow at Version 69 and upload the example code.
,
Jun 28 2018
Link the user the first time to the https site with the fake SSL certificate. The code will register the serviceworker and link the user to the http site.
,
Jun 29 2018
sharing this bug
,
Jun 29 2018
heienbrockjannis@: Thanks for following up. Can I just confirm that the http site isn't localhost or another local origin like 127/8? Chrome has an exception for http://localhost. Could you paste output from chrome://serviceworker-internals that shows the service worker registered for the https site? I'm wondering if the POC requires the first step where you go to an https site with a fake SSL certificate. If you have a real SSL certificate there, does the bug no occur? I don't immediately know how to make a remote non-localhost https server with a bad certificate, so just wanted to confirm this first.
,
Jun 29 2018
"registered for the https site" -> "registered for the http site"
,
Jul 4
To the bug reporter: Are you able to provide us any further information to help us understand this, such as that requested in comment 7?
,
Jul 5
falken@: I try it on the localhost and a another privat test server. Current i can't test it on public server. Yes you also can use a real SSL certificate. The point is that you can do it also when chrome log an error. After the error on https you can not use the service worker, on http you can use it.
,
Jul 6
I couldn't reproduce the issue on Chrome 69. What I did: - Configure nginx to listen to both http (port 80) and https (port 443) on my machine. - Download files attached in comment #5 and put them into the document root of nginx (main.js -> js/main.js). - Navigate to the machine like https://192.168.1.100. - The page redirected to http://192.168.1.100. navigator.serviceWorker is undefined. Please let me know if I miss something. (As noted in comment #7, Chrome has an exception for localhost/127.0.0.1)
,
Jul 6
Thanks bashi@ for looking. That's also the behavior I'd expect.
,
Jul 6
Bashi, that was the correct way.
,
Jul 6
Thanks heienbrockjannis@. I'll close this as WontFix since http localhost is considered secure and we couldn't repro on http non-localhost. Let me know if I'm missing something.
,
Oct 13
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by och...@chromium.org
, Jun 20 2018Labels: Needs-Feedback