Fix isSecureContext for workers created from data urls in secure cont…

…exts Worker created from data urls in secure contexts should be considered as in secure contexts as well. Spec: https://html.spec.whatwg.org/multipage/webappapis.html#secure-contexts Discussions: w3c/webappsec-secure-contexts#69 Alternatives considered: - Make ExecutionContext::IsSecureContext virtual and provide a specialized WorkerGlobalScope. The problem is that it bypasses the UseCounter logging in [1] - Call security_origin.SetOpaqueOriginIsPotentiallyTrustworthy(true) at [2]. This makes IsPotentiallyTrustworthy() true for this specific security_origin. However, other places call IsPotentiallyTrustworthy() too so I am not sure whether this breaks other intended behaviors. [1] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/execution_context/security_context.cc;l=124-126 [2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/workers/worker_global_scope.cc;l=137;bpv=1;bpt=1 Bug: 1325494 Change-Id: Id5c7c3bc61b320426249bde0e346bd1f5f0b33d7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4377256 Commit-Queue: Jonathan Hao <phao@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/main@{#1125248}
web-platform-tests · Apr 3, 2023 · 060a3eb · 060a3eb
1 parent 95849f2
commit 060a3eb
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/secure-contexts/basic-dedicated-worker.html b/secure-contexts/basic-dedicated-worker.html
@@ -16,6 +16,7 @@
       var t4 = async_test("HTTPS nested worker");
       var t5 = async_test("HTTP worker from HTTPS subframe");
       var t6 = async_test("HTTPS worker from HTTPS subframe");
+      var t7 = async_test("Worker from data URL");
 
       var w1 = new Worker(http_dir + "support/dedicated-worker-script.js");
       w1.onmessage = t1.step_func_done(function(e) {
@@ -89,6 +90,14 @@
       var ifr = document.createElement("iframe");
       ifr.src = https_dir + "support/https-subframe-dedicated.html";
       document.body.appendChild(ifr);
+
+      var w7 = new Worker("data:text/javascript,postMessage(isSecureContext);");
+      w7.onmessage = t7.step_func_done(function(e) {
+        assert_false(e.data);
+      });
+      w7.onerror = t7.step_func_done(function(e) {
+        assert_unreached("isSecureContext should be supported");
+      });
     </script>
   </body>
 </html>

diff --git a/secure-contexts/basic-shared-worker.html b/secure-contexts/basic-shared-worker.html
@@ -14,6 +14,7 @@
       var t2 = async_test("Nested worker in shared worker");
       var t3 = async_test("Shared worker from https subframe");
       var t4 = async_test("Nested worker from shared worker from https subframe");
+      var t5 = async_test("Shared worker from data URL");
       // Tests for SharedWorkers used from other workers (not supported right
       // now) would go here.
 
@@ -64,6 +65,20 @@
       var ifr = document.createElement("iframe");
       ifr.src = https_dir2 + "support/https-subframe-shared.html";
       document.body.appendChild(ifr);
+
+      t5.step(function() {
+        var w = new SharedWorker(
+          `data:text/javascript,addEventListener("connect", function (e) {
+             var port = e.ports[0];
+             port.start();
+             port.postMessage(isSecureContext);
+          });`
+        );
+        w.port.onmessage = t5.step_func_done(function(e) {
+          assert_false(e.data);
+        });
+        w.port.start();
+      });
     </script>
   </body>
 </html>