Skip to content

Commit

Permalink
Fix isSecureContext for workers created from data urls in secure cont…
Browse files Browse the repository at this point in the history
…exts

Worker created from data urls in secure contexts should be considered
as in secure contexts as well.
Spec: https://html.spec.whatwg.org/multipage/webappapis.html#secure-contexts
Discussions: w3c/webappsec-secure-contexts#69

Alternatives considered:
- Make ExecutionContext::IsSecureContext virtual
and provide a specialized WorkerGlobalScope. The problem is that it
bypasses the UseCounter logging in [1]
- Call security_origin.SetOpaqueOriginIsPotentiallyTrustworthy(true) at
[2]. This makes IsPotentiallyTrustworthy() true for this specific
security_origin. However, other places call IsPotentiallyTrustworthy()
too so I am not sure whether this breaks other intended behaviors.

[1] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/execution_context/security_context.cc;l=124-126
[2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/workers/worker_global_scope.cc;l=137;bpv=1;bpt=1

Bug: 1325494
Change-Id: Id5c7c3bc61b320426249bde0e346bd1f5f0b33d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4377256
Commit-Queue: Jonathan Hao <[email protected]>
Reviewed-by: Nate Chapin <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1125248}
  • Loading branch information
johnathan79717 authored and cookiecrook committed Apr 8, 2023
1 parent b164631 commit 01720e5
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
9 changes: 9 additions & 0 deletions secure-contexts/basic-dedicated-worker.html
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
var t4 = async_test("HTTPS nested worker");
var t5 = async_test("HTTP worker from HTTPS subframe");
var t6 = async_test("HTTPS worker from HTTPS subframe");
var t7 = async_test("Worker from data URL");

var w1 = new Worker(http_dir + "support/dedicated-worker-script.js");
w1.onmessage = t1.step_func_done(function(e) {
Expand Down Expand Up @@ -89,6 +90,14 @@
var ifr = document.createElement("iframe");
ifr.src = https_dir + "support/https-subframe-dedicated.html";
document.body.appendChild(ifr);

var w7 = new Worker("data:text/javascript,postMessage(isSecureContext);");
w7.onmessage = t7.step_func_done(function(e) {
assert_false(e.data);
});
w7.onerror = t7.step_func_done(function(e) {
assert_unreached("isSecureContext should be supported");
});
</script>
</body>
</html>
Expand Down
15 changes: 15 additions & 0 deletions secure-contexts/basic-shared-worker.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
var t2 = async_test("Nested worker in shared worker");
var t3 = async_test("Shared worker from https subframe");
var t4 = async_test("Nested worker from shared worker from https subframe");
var t5 = async_test("Shared worker from data URL");
// Tests for SharedWorkers used from other workers (not supported right
// now) would go here.

Expand Down Expand Up @@ -64,6 +65,20 @@
var ifr = document.createElement("iframe");
ifr.src = https_dir2 + "support/https-subframe-shared.html";
document.body.appendChild(ifr);

t5.step(function() {
var w = new SharedWorker(
`data:text/javascript,addEventListener("connect", function (e) {
var port = e.ports[0];
port.start();
port.postMessage(isSecureContext);
});`
);
w.port.onmessage = t5.step_func_done(function(e) {
assert_false(e.data);
});
w.port.start();
});
</script>
</body>
</html>

0 comments on commit 01720e5

Please sign in to comment.