-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the interaction between data URLs and workers (and some other data URL discussion) #1243
Comments
Oh, and the point is there is various stuff that's currently allowed by all browsers for data: sheets without throwing but is supposed to throw per spec. My guess is that the chances of said throwing being web-compatible are very low, so we need to change something about the specs here. And as long as we're doing that, we should do the thing that's maximally useful to web authors, and treat a data: sheet no differently than we would treat an inline stylesheet with the same text. |
@mikewest ^^ |
I agree with @bzbarsky that there's not much harm in treating such a stylesheet as same-origin. They can't be introduced from a cross-origin frame in the same way that I also agree with the assertions in #1779 with regard to images, audio, and video, for the same reasons. Chrome does carve out an exception for |
OK. So what is our best path forward here? A spec change that fixes all of these to use the same origin data URL flag? And web platform tests asserting that they work? |
So where do we want to treat them as cross-origin? Navigation is handled by setting the origin on document. Is workers the only other place? Because then instead of a flag we should just special case workers in Fetch or some such. |
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1243, closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
It seems to me that we want to treat data: as cross-origin any time there will be script running with whatever origin the load ends up with. In practice I believe that restricts to navigation and maybe workers. For navigation, there's long discussion already. For workers, there are three conceivable behaviors:
Behavior 3 is simpler than behavior 2, but I think a bit less developer-friendly: you have to stick your string in a blob and then createObjectURL to get it to execute as a worker, which is a good bit more complicated than just prepending "data:application/javascript," to it and leads to the string leaking for the page lifetime unless you rememeber to revoke. I think behavior 2 doesn't introduce XSS vectors, fwiw. |
Just for the record, in my capacity as trying to help coordinate this many-threaded issue, it looks like whatwg/fetch#387 goes with 3 for now, if I am reading it correctly. |
I would be happy with unique-origin |
(Note that this means we should probably allow |
Okay, so for 2 we'd treat data URLs as same-origin in Fetch, but we special case worker environment creation to assign a unique origin for data URLs. We should only do this for dedicated workers I assume, as otherwise multiple origins can share a shared worker, which I don't think is a feature we necessarily want to offer, right? |
In particular, for 2 I need to update whatwg/fetch#387 to remove "worker" (so it's considered same-origin) and then update #1782 to assign this opaque origin to (dedicated) workers for data URLs. Allowing sandbox on workers we can do separately. |
If someone can confirm that I'm happy to make the updates. |
I don't think that a I can imagine cases in which a sandboxed shared worker could make sense, but I'd be fine with limiting that to dedicated workers as well. I don't think |
Sandboxed shared worker seems fine, since setting it up is still limited by same-origin checks. I guess I can take a look how much additional work the sandboxing is while making this change. |
Sandboxed shared workers are actually more complicated than I thought, because with module workers the URL can be cross-origin (we rely on a same-origin check between the worker global scope and the current settings object of the script invoking |
New plan:
The only thing that's still a little unclear in all this is module workers and their interaction with data URLs. Should probably investigate that a little more. |
I updated whatwg/fetch#387 and #1782 per above. Dedicated module workers created from data URLs would work, with any "cors" fetches they make for imports from an opaque origin ( |
@mikewest it seems sandboxing changes will need to be separate from this anyway right? That's not something I can directly change in HTML as far as I can tell (it might require some changes to the existing setup though). |
Yes, I think splitting |
To be clear, using a unique opaque origin might lead folks to use the workaround anyway if they need to access origin-specific data (blob URLs do result in same-origin workers). If the worker doesn't need to access storage and such though I agree that 2 is nicer (and 2 is what my PR does now). |
Yeah, I'm not 100% up on what Firefox does with workers, especially shared workers, for the data: case. @wanderview or @bakulf might know it better. I did just test and we seem to at least start a shared worker for data:, but don't seem to hand it any useful ports or something? |
SharedWorker with a data URL script works for me. Run these two lines in your devtools:
And look for a |
I get it to run as well, but when I use the same data URL in a different window I don't connect to the same worker as far as I can tell. So it's unclear how useful it is and would probably require even more special casing to support. The same setup throws in other browsers. |
It works from two windows for me. I modified my script to print the time when the worker started to disambiguate the two:
Then this logs the same timestamp when executed on windows with the same origin:
If you call that on a different origin window then you will get a different worker and timestamp. |
Right, you get a different worker. That's not shared... |
AFAIK we're not supposed to share across origins. This works just like if you were using blob URLs, no? |
What do you mean, across origins? I was talking about two windows that share an origin. |
I get the same worker for same origin windows. |
@annevk Maybe you are using multiprocess with multiple content processes (which is expected to not work)? I used Ben's second example to create a webpage, visible for your viewing pleasure at https://gist.github.com/asutherland/d0ee823e37d8400ce6a125e5416e6884 and used gdb to verify what's going on in Firefox trunk under the hood. It's also fine to use Firefox devtools to use existing pages/origins, everything still ends up the same. All instances of either page, served on localhost, result in RuntimeService's WorkerDomainInfo for "localhost" tracking a single SharedWorker with the key |
I think if we wanted to allow that, while also giving those shared workers a unique opaque origin (Gecko does not do this at the moment, but as discussed upthread that's somewhat essential for this data URL compromise), we'd have to introduce additional state. We'd basically need to have an origin that we can use for comparison when constructing the Would you be okay with no longer supporting data URLs for shared workers? |
I was wrong, it does seem like Gecko already has that double bookkeeping. At least when testing |
I don't understand why it would be valuable to add this kind of complexity to Blink. Do y'all actually see usage of |
Note that upon further reflection I'm also not entirely sure why data URLs result in an opaque origin here. For module workers we use CORS, meaning that any cross-origin script can end up executing with the origin of the worker creator. It's not clear to me why in such a world we'd not also allow data URLs to execute with the origin of the worker creator. |
And note that if we accepted that module worker view of the world, we don't need the complexity to support data URL shared workers, but Gecko would have to change to inherit the origin from the creator rather than using an opaque origin as it does today. |
Hrm. I guess you're right. There's a pretty clear analog between I would like to have a way of creating unique-origin |
No, there is one significant difference. If you do This means people may reasonably assume that putting a random URL in a |
As I pointed out, no longer true with module workers. |
Yeah, new issue? That and sandboxing can be discussed separately from data URLs. |
I guess module workers do require opt-in, so maybe from that perspective we should still do the unique opaque origin for data URLs (especially if it's a feature we'd like anyway). |
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1243, closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1243, closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
Fixes #1243. Basically, data URLs create (shared) workers that have a unique opaque origin.
Fixes #1243. Basically, data URLs create (shared) workers that have a unique opaque origin.
Fixes whatwg#1243. Basically, data URLs create (shared) workers that have a unique opaque origin.
At some point in the various refactorings of fetch and stuff, we ended up with https://html.spec.whatwg.org/multipage/semantics.html#concept-link-obtain calling https://html.spec.whatwg.org/multipage/infrastructure.html#create-a-potential-cors-request and none of that ever setting the "same-origin data-URL flag" on the request.
That means that as currently specced if I do this:
I should get a security exception because the sheet is not same-origin. The problem is, I don't think anyone actually implements that. WebKit and Blink violate the CSSOM spec's requirements for cross-origin stuff: they set
rules
tonull
in that situation and allow appending new rules to the cross-origin sheet. Gecko and Edge make the sheet same-origin, which allows the page to touch its CSSOM as desired.There is absolutely no reason to prevent CSSOM access to the data: sheet in this situation, so I think the fetches for stylesheets should pass the "same-origin data-URL flag", both here and for
@import
./cc @zcorpan since the latter needs changes to https://drafts.csswg.org/cssom/#fetching-css-style-sheets or its caller in
@import
.The text was updated successfully, but these errors were encountered: