New issue
Advanced search Search tips

Issue 909025 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Nov 28
Cc:
falken@chromium.org
rdevlin....@chromium.org
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Which service worker should be used by extension content scripts?

Project Member Reported by lukasza@chromium.org, Nov 27 
The new test in https://crrev.com/c/1352598 shows that fetches from extension content scripts do not go through an extension service worker (I am guessing that they go through the webpage's service worker).  This is slightly surprising, because fetches from content scripts use an extension-specific origin (rather than webpage-specific origin) as request_initiator (guiding CORS and related security decisions in the network service process).

Background doc (on @chromium.org, but currently shared only with specific people - ask for access if needed): https://docs.google.com/document/d/13_BhgeK3DNVMvZ5gmKosk2n5EEFxiFX6cKArlQ00_t4/edit#

Comment 1 by lukasza@chromium.org, Nov 27

Cc: falken@chromium.org rdevlin....@chromium.org
falken@, rdevlin.cronin@ - WDYT?  Is this WAI, or is it a bug?

Comment 2 by lukasza@chromium.org, Nov 27 

falken@: Also a Site Isolation question (kind of related to issue 786673): Would a compromised *web* renderer be able to route a fetch request through an *extension* service worker (the latter being mostly exempt from CORS)?  I hope the answer is "no, the browser process won't let that happen".

Comment 3 by shimazu@chromium.org, Nov 28 

I'm not fully sure what's the correct behavior since any fetch requests from a controlled page seem to need to be handled by the page's service worker. It seems including fetch() from content scripts.

From the implementation point of view, it might not be easy in the current implementation to let those requests fire FetchEvents on an extension service worker since a page doesn't have any connection to the extension service worker and also we need to distinguish fetch() calls from an extension and a page.
For the same reason, I don't think a compromised renderer have a way to send a request through an extension service worker for now.

Comment 4 by falken@chromium.org, Nov 28 

My understanding is content scripts are injected into web pages. I would expect requests made such a content script to be intercepted by the wb page's service worker, not the extensions service worker. That fits the model of service workers: a context can be controlled by a single service worker, which sees all requests from that context.

I agree there seems to be a discrepancy between that model and |request_initiator|. I haven't encountered use of |request_initiator| in service worker implementation code. So I don't immediately see how to reconcile these two models, or if it's fine as-is.

For c#2, the answer is indeed "no, the browser process won't let that happen". With ServiceWorkerServicification, the renderer only has access to a service worker that the browser  gives it a Mojo connection to. And pre-ServiceWorkerServicification, the browser makes the decision about where to route each request, and it'd only route it to the appropriate service worker.

Comment 5 by falken@chromium.org, Nov 28 

s/requests made/requests made by
s/extensions service worker/extension's service worker/

Comment 6 by lukasza@chromium.org, Nov 28

Status: WontFix (was: Untriaged)
Thanks for the explanations - the current behavior sgtm.  I'll resolve the bug as WontFix/WAI.

Sign in to add a comment