Open Bug 1491119 Opened 6 years ago Updated 2 years ago

Service Worker Registration can be done on another origin by a rogue Content Process

Categories

(Core :: DOM: Service Workers, enhancement, P3)

Product:
Core
Component:
DOM: Service Workers
Type:
enhancement

Tracking

()

Project Flags:
Fission Milestone Future

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

Every method in https://searchfox.org/mozilla-central/source/dom/serviceworkers/PServiceWorkerContainer.ipdl accepts a IPCClientInfo struct, which contains a principal. This principal is used to determine what origin to operate on.

A rogue Content Process can specify whatever principal they like, and this appears to allow one to register service workers for another origin.

We could validate the Principal specified in the struct, but it seems like it may be better to have this actor be constructed with the principal already specified from a trusted value in the Parent Process.
Priority: -- → P3
This also looks like the case in:
- PBackground.ipdl::PServiceWorker and PBackground.ipdl::PServiceWorkerRegistration
- netwerk/ipc/NeckoChannelParams.ipdlh's controller property
- The 'Claim' mechanism of Service Workers (the principal used in ClientManagerService::Claim seems to content-process-controlled)

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.