Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'strict-dynamic' should bless programmatically added workers #200

Closed
arturjanc opened this issue Apr 5, 2017 · 9 comments
Closed

'strict-dynamic' should bless programmatically added workers #200

arturjanc opened this issue Apr 5, 2017 · 9 comments

Comments

@arturjanc
Copy link

According to the current version of the spec (https://w3c.github.io/webappsec-csp/#changes-from-level-2), the loading of workers will be subject to script-src if the policy doesn't explicitly set worker-src.

Many policies don't explicitly set worker-src, which is fine for most whitelist-based policies because workers which match the script-src whitelist will still be allowed (or the developer can expand script-src to cover the locations of such workers). For policies based on 'strict-dynamic', however, the script-src whitelist gets ignored which means that the application cannot create new workers (at least without adding worker-src to the policy which can be undesirable for other reasons).

To address this we should allow code such as new Worker(...) to allow the loading of arbitrary resources if the worker policy contains 'strict-dynamic'; this is consistent with the behavior of other non-parser-based APIs such as document.createElement which allow the loading of all scripts.

Similarly, once we're executing a worker, if the policy governing the worker contains script-src 'strict-dynamic' we should bless importScripts() and allow it to load arbitrary worker scripts.
@mikewest
Copy link
Member

mikewest commented Apr 6, 2017

Yeah, I think this makes sense. It's "the same" as a script loading another script.

@mikewest
Copy link
Member

mikewest commented Apr 6, 2017

In fact, it makes so much sense that it's actually already what the spec says, with a tiny caveat that I forgot to update along with worker-src changes. Sooooooo. I'll go fix Chrome, I guess. :)

/cc @ckerschb, @mozfreddyb, @dveditz, FYI.

@mikewest
Copy link
Member

mikewest commented Apr 6, 2017

(20b9193 was the tiny caveat)

@mikewest mikewest closed this as completed Apr 6, 2017
@dconnolly
Copy link

Yay!

@arturjanc
Copy link
Author

@mikewest Does this also cover the case of importScripts() when executed from inside a worker? I kind of conflated the two in the description above, but maybe this should be a separate bug if the spec requires a different change (or an explanatory note).

@mikewest
Copy link
Member

From a spec perspective, yes. From a Chrome perspective, maybe? I didn't check, but it might work! Maybe! Write a test, file a bug if it fails. :)

@arturjanc
Copy link
Author

You're right, this works for me in Chrome canary already: https://arturjanc.com/csp/workers/service-worker-external-importscripts.html Thanks!

@mikewest
Copy link
Member

Huzzah!

@mikewest
Copy link
Member

(Would you mind turning that into a web platform test so we can lock in the behavior and not accidentally regress in the future, @arturjanc? :) )

@arturjanc arturjanc mentioned this issue Dec 4, 2018
Open
This was referenced Dec 18, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikewest @dconnolly @arturjanc