New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 890316 link

Starred by 2 users
Status: Verified
Owner:
vogelheim@chromium.org
Closed: Oct 4
Cc:
mkwst@chromium.org
vogelheim@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Chrome resources not allowed to use importScript

Project Member Reported by joha...@vewd.com, Sep 28 
Regression from   crbug.com/879994   that added a strict check on mimetype for importScript().
This make chrome:// resources that use importScript(*.js) to be denied.

Should chrome: resources use the same code path as response.Url().IsLocalFile() in allowed_by_nosniff.cc:130 ? 
Looks like chrome: do have a ResourceResponse::MimeType() but not a ResourceResponse::HttpContentType() so maybe need to check that instead?

In our use case we have a worker in a chrome:// resource that imports some scripts via importScript() and this fails due to above change.

Possible solution that works for me is to do "(response.Url().IsLocalFile() || response.Url().ProtocolIs("chrome")) && ..." in MimeTypeAsScriptImpl() in allowed_by_nosniff.cc row 130.

Comment 1 by joha...@vewd.com, Sep 28

Description: Show this description

Comment 2 by vogelheim@chromium.org, Oct 2

Owner: vogelheim@chromium.org
Status: Assigned (was: Untriaged)
Thanks for the report.

Instead of exempting only file: URLs (or exempting file: + chrome: URLs), we'll probably check for a specific set of protocols to apply the check to. (E.g., check only 'true' network protocols; or check http-family only.)
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 4 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7cb5629d0f158782835a38282c48700ebbd19695

commit 7cb5629d0f158782835a38282c48700ebbd19695
Author: Daniel Vogelheim <vogelheim@chromium.org>
Date: Thu Oct 04 14:33:53 2018

[nosniff] Fix AllowedByNosniff for chrome:// URL schemes (& friends)

Bug:  890316 
Change-Id: I529c99ee497b154ca42d3e3ab5bcf1ab52ab00f3
Reviewed-on: https://chromium-review.googlesource.com/c/1256947
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#596660}
[modify] https://crrev.com/7cb5629d0f158782835a38282c48700ebbd19695/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc
[modify] https://crrev.com/7cb5629d0f158782835a38282c48700ebbd19695/third_party/blink/renderer/core/loader/allowed_by_nosniff_test.cc

Comment 4 by vogelheim@chromium.org, Oct 4

Status: Fixed (was: Assigned)
Fixed. (Fix will probably make it into M71.)

johan_e: Please verify.

Comment 5 by joha...@vewd.com, Oct 5

Status: Verified (was: Fixed)
I can verify that this fix works in original issue I had with chrome:// resources.

Sign in to add a comment