Closed
Bug 1206185
Opened 9 years ago
Closed 9 years ago
ServiceWorkers don't appear to call any content policies
Categories
(Core :: DOM: Service Workers, defect)
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox43 | --- | affected |
People
(Reporter: dveditz, Unassigned)
References
Details
(Keywords: sec-moderate)
+++ This bug was initially created as a clone of Bug #1198078 +++ Bug 1198078 points out that serviceWorkers don't honor the mixed content blocker, but they don'tt appear to call _any_ content policy type things. Content-security-policy we know about already, but there's a whole slew of add-ons dependent on nsIContentPolicy, such as NoScript and ad-blockers. We also don't appear to be running loads through safe Browsing checks, which I think are separate from the nsIContentPolicy checks.
Comment 1•9 years ago
|
||
I think bholley is fixing this over in bug 1189668. Or is this a different problem?
Comment 2•9 years ago
|
||
I think bug 1189668 is only about respondWith().
Comment 3•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #0) > Bug 1198078 points out that serviceWorkers don't honor the mixed content > blocker, but they don'tt appear to call _any_ content policy type things. They do: <https://hg.mozilla.org/mozilla-central/rev/3ca0821a9b05#l11.27> Note that the code above deals with loading the SW script itself, and importScripts(). I'm not really sure what cases you're talking about here though. Can you please clarify? > Content-security-policy we know about already, but there's a whole slew of > add-ons dependent on nsIContentPolicy, such as NoScript and ad-blockers. I think the call above is sufficient for all of these cases, isn't it? > We also don't appear to be running loads through safe Browsing checks, which > I think are separate from the nsIContentPolicy checks. Do you know how that is integrated with normal loads?
Flags: needinfo?(dveditz)
Reporter | ||
Comment 4•9 years ago
|
||
(In reply to Ehsan Akhgari (don't ask for review please) from comment #3) > (In reply to Daniel Veditz [:dveditz] from comment #0) > > they don'tt appear to call _any_ content policy type things. > > They do: <https://hg.mozilla.org/mozilla-central/rev/3ca0821a9b05#l11.27> You're right: the script loader above does, and by way of using the normal XHR that's covered, too. The fetch() algorithm has hooks for CSP and hopefully we're doing so by calling generic nsIContentPolicy so that should be covered. > > We also don't appear to be running loads through safe Browsing checks, which > > I think are separate from the nsIContentPolicy checks. > > Do you know how that is integrated with normal loads? Looks like that's built into the HTTP Channel code these days so my concern was unwarranted paranoia on that point too.
Flags: needinfo?(dveditz)
Comment 5•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4) > (In reply to Ehsan Akhgari (don't ask for review please) from comment #3) > > (In reply to Daniel Veditz [:dveditz] from comment #0) > > > they don'tt appear to call _any_ content policy type things. > > > > They do: <https://hg.mozilla.org/mozilla-central/rev/3ca0821a9b05#l11.27> > > You're right: the script loader above does, and by way of using the normal > XHR that's covered, too. The fetch() algorithm has hooks for CSP and > hopefully we're doing so by calling generic nsIContentPolicy so that should > be covered. Yes, fetch() should do the right thing as well: <http://mxr.mozilla.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#113>. Note that we shipped fetch() in 39, I think. > > > We also don't appear to be running loads through safe Browsing checks, which > > > I think are separate from the nsIContentPolicy checks. > > > > Do you know how that is integrated with normal loads? > > Looks like that's built into the HTTP Channel code these days so my concern > was unwarranted paranoia on that point too. OK, np! Can we mark this as a dupe of bug 1189668?
Updated•9 years ago
|
Flags: needinfo?(dveditz)
Reporter | ||
Comment 6•9 years ago
|
||
A dupe of /something/ anyway. See CSP-2 dependencies like bug 929292 and bug 959388.
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(dveditz)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•