Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secure contexts and Workers created from data URLs #74

Closed
yutakahirano opened this issue Apr 15, 2020 · 5 comments
Closed

secure contexts and Workers created from data URLs #74

yutakahirano opened this issue Apr 15, 2020 · 5 comments

Comments

@yutakahirano
Copy link

https://w3c.github.io/webappsec-secure-contexts/#is-settings-object-contextually-secure
states:

  • If global is a WorkerGlobalScope, then:
    • For each Document (document) in global’s owner set:
      • Assert: Workers must be same-origin with the context that created them, so document’s relevant settings object's origin and HTTPS state is the same as global’s relevant settings object's origin and HTTPS state.
      • If document’s relevant settings object is not contextually secure, return "Not Secure".
    • Return "Secure".
  • ...

The assertion is confusing or wrong, because a worker can be created from a data URL, and in that case the worker is not same origin with its parent context.
@yutakahirano
Copy link
Author

cc: @annevk @nhiroki

My understanding is that a worker should inherit its owner set documents' HTTPS state, and the assertion should be fixed accordingly. Please let me know if you think otherwise.

Related to web-platform-tests/wpt#22929.

@annevk
Copy link
Member

annevk commented Apr 15, 2020
edited
Loading

Thanks for spotting that, agreed! See also whatwg/html#5254 for some additional complexity due to data URL workers. (To be clear, we took on that complexity as we also wanted sandboxed workers in due course, which would have a similar model.)

@nhiroki
Copy link

nhiroki commented Apr 15, 2020

+1.

For reference, the HTML spec defines that a data URL worker has an opaque origin:

The origin:
Return a unique opaque origin if worker global scope's url's scheme is "data", and inherited origin otherwise.

And, the Fetch spec defines a response for a data URL has fetch client's HTTPS state, that is, the document's HTTPS state:

"data":
3. Return a response whose status message is OK, header list consist of a single header whose name is Content-Type and value is dataURLStruct’s MIME type, serialized, body is dataURLStruct’s body, and HTTPS state is request’s client’s HTTPS state if request’s client is non-null.

@annevk annevk mentioned this issue May 18, 2020
Closed
domenic added a commit to whatwg/html that referenced this issue Jun 19, 2020
@domenic
Define "secure context"
9e6bf11 
This supersedes the definition in
https://w3c.github.io/webappsec-secure-contexts/, and fixes several bugs
while doing so.

Closes #5558. Closes w3c/webappsec-secure-contexts#56. Closes
w3c/webappsec-secure-contexts#57. Closes
w3c/webappsec-secure-contexts#74. Closes
w3c/webappsec-secure-contexts#75.
@domenic domenic mentioned this issue Jun 19, 2020
Merged
domenic added a commit to whatwg/html that referenced this issue Jun 24, 2020
@domenic
Define "secure context"
81b5a62 
This supersedes the definition in
https://w3c.github.io/webappsec-secure-contexts/, and fixes several bugs
while doing so.

Closes #5558. Closes w3c/webappsec-secure-contexts#56. Closes
w3c/webappsec-secure-contexts#57. Closes
w3c/webappsec-secure-contexts#74. Closes
w3c/webappsec-secure-contexts#75.
domenic added a commit to whatwg/html that referenced this issue Jun 25, 2020
@domenic
Define "secure context"
a5f858b 
This supersedes the definition in
https://w3c.github.io/webappsec-secure-contexts/, and fixes several bugs
while doing so.

Closes #5558. Closes w3c/webappsec-secure-contexts#56. Closes
w3c/webappsec-secure-contexts#57. Closes
w3c/webappsec-secure-contexts#74. Closes
w3c/webappsec-secure-contexts#75.
@annevk annevk reopened this Jul 2, 2020
@annevk
Copy link
Member

annevk commented Jul 2, 2020
edited
Loading

whatwg/html#5659 resolved this, but since this specification doesn't appear to be maintained, leaving this open for now for visibility.

mfreed7 pushed a commit to mfreed7/html that referenced this issue Sep 11, 2020
@domenic @mfreed7
Define "secure context"
3643715 
This supersedes the definition in
https://w3c.github.io/webappsec-secure-contexts/, and fixes several bugs
while doing so.

Closes whatwg#5558. Closes w3c/webappsec-secure-contexts#56. Closes
w3c/webappsec-secure-contexts#57. Closes
w3c/webappsec-secure-contexts#74. Closes
w3c/webappsec-secure-contexts#75.
@annevk
Copy link
Member

annevk commented Jan 12, 2021

Solved by #84.

@annevk annevk closed this as completed Jan 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nhiroki @annevk @yutakahirano