New issue
Advanced search Search tips

Issue 898044 link

Starred by 2 users

Issue metadata

Status: Closed
Owner: ----
Closed: Nov 2
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

AbstractWorker::ResolveURL fails cross-origin workers too quickly

Project Member Reported by domfarolino@gmail.com, Oct 23

Issue description

In my CL to change the default credentials mode for module scripts, I noticed that the way we handle not supporting cross-origin workers of any kind (that is, classic or module) is by having an early fail in AbstractWorker::ResolveURL [1]. We basically throw a DOMException if the worker's URL is cross-origin.

It is true that cross-origin workers of any kind should not be supported, but in the HTML Standard, this is ensured by setting the request's mode to "same-origin", therefore any cross-origin requests will fail, and the Worker's error event will be fired. This is tested [2] (the tests are being refined + extended to module workers), and since Chrome disallows even cross-origin worker construction, Chrome fails the test.

My question: Can we remove AbstractWorker's exception-throwing behavior here? Or is it possible that even attempting to fetch a guaranteed-to-fail cross-origin worker request is insecure enough for us to not be able to budge?

[1]: https://chromium-review.googlesource.com/c/chromium/src/+/1239638/6/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc#120

[2]: https://github.com/web-platform-tests/wpt/pull/13671
 
Seems this was a false alarm, apologies. bz found the spec text in #dom-worker [1] that allows UA's to immediately fail Worker construction in cases like this. Will close this once the tests merge and this is no longer needed.

[1]: https://html.spec.whatwg.org/multipage/workers.html#dom-worker
(worker bug triage)

domfarolino@: Any update on this?
Status: Closed (was: Untriaged)
Sorry, yes, this should be closed after some further discussion. The behavior Chrome has is indeed allowed by spec. Thanks for the ping.

Sign in to add a comment