Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nonce attribute for Web Worker #15

Closed
mikewest opened this issue Oct 7, 2015 · 3 comments
Closed

Nonce attribute for Web Worker #15

mikewest opened this issue Oct 7, 2015 · 3 comments
Labels

Comments

@mikewest
Copy link
Member

mikewest commented Oct 7, 2015

From @Nadoedalo on September 2, 2015 11:52

Seems that there is no way to set nonce attribute for a Web Worker in order to allow sandbox to do whatever it wants. Maybe there must be a way to set nonce-attribute in header or/and in script string/attribute?

I'm trying to run every unsafe-code in web worker's sandbox but only Chrome understands separate policy for the worker. And because of that I need to run 'unsafe-eval' policy just because I'm using template engine, and that can cause issues and not really offering me a protection.
Here are some links :

Firefox bug tracker
Stackoverflow question

Copied from original issue: w3c/webappsec#464

@mikewest mikewest added the CSP label Oct 7, 2015
@mikewest
Copy link
Member Author

mikewest commented Oct 7, 2015

I don't really follow what you're trying to do. Can you help me understand with some sample code?

@mikewest
Copy link
Member Author

mikewest commented Oct 7, 2015

From @Nadoedalo on September 2, 2015 13:6

I have following CSP header default-src 'self';
And header for sandbox.js default-src 'none'; script-src 'unsafe-eval';
And then I run new Function() in sandbox.js like that :
var worker = new window.Worker('sandbox.js');
and posting message with template and data

What I'm trying to do - run any eval-code in sandbox so it can't get or transphere data. And even if the result of template will be <script> it won't be running because there it isn't allowed to do so.

It is clear that csp-header should be applied to Web Worker with it's own policy, but it isn't anywhere exept of Chrome, and when the policy is voilated - Firefox, for exmaple, refers to original policy for the whole window.

So I thought that there can be anouther way - with nonce attribute. You can actually allow one script to do whatever it wants, so it can be applied to worker in order to allow unsafe-eval only there.

the whole code example :

/*sandbox.js file*/
(function(self){
    self.addEventListener('message', function(e){
        var data = JSON.parse(e.data),
        template = _.template(data.template)(data.data);
        self.postMessage({
            template : template
        });
    });
    self.importScripts('http://underscorejs.org/underscore-min.js');
    return self;
}(self));
/*templace-call function*/
function secureTemplate(template, data){
    var promise = new Promise(function(resolve, reject){
        worker = window._webWorker || new window.Worker('sandbox.js');
        function workerListener(e){
          resolve(e.data.template);
          worker.removeEventListener('message', workerListener.bind(this));
        }
        window._webWorker = worker;
        worker.addEventListener('message', workerListener.bind(this));
        worker.postMessage(JSON.stringify({
          template : template,
          data : data
        }));
    });
    return promise;
}
/*call*/
secureTemplate('<%=name%>', {name : 'Nadoedalo'}).then(function(html){
  console.log(html);
})

so if name had <script>alert(1)</script> it will be processed later if unsafe-eval exists, and I have 'unsafe-eval' directive to support Underscore's _.template(wich runs new Function). But I could reject 'unsafe-eval' directive if I had nonce-attribute set and could run Web Worker with it.

But maybe functional separate policy for Web Worker is just fine, the thing is it is not supported yet.

@mikewest
Copy link
Member Author

mikewest commented May 9, 2017

After waffling a bit, we've specified the worker model such that the worker inherits the policy from the page that instantiates it. I think this is taken care of today. Hopefully that deals with your use-case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant