register() lacks same origin check #1518
Comments
annevk
added
the
security-tracker
|
The "Start Register" algorithm has some checks in step 3 and 4:
The only invokation of Start Register is in ServiceWorkerContainer.register(), which does not apply any checks, just parsing in step 3. P.S.: This issue filed was based on a question I had directed at @annevk based on folks requesting subresource integrity support for ServiceWorkers - which is providing most of its on cross-origin resources only. |
|
Start Register schedules a "Register" job, which ends up invoking https://w3c.github.io/ServiceWorker/#register-algorithm, which does do same origin checks in step 2 and 3 (the "referrer" is set to "client's creation URL" in the register() method. This definitely could be cleaned up more to make it clearer. I remember there was a good reason for making this this complicated back when I spec'ed header-based installation, but that was a bad idea anyway. So probably it could be done much more straight forward. |
|
Thanks, though note that it does not actually do a same origin check. It checks if A is B, not if A is same origin with B. Those are different checks. |
|
What happens in case of a cross-origin redirect? |
|
Per step 5 of "perform the fetch" here: https://w3c.github.io/ServiceWorker/#update-algorithm The request.redirect mode is set to "error". |
|
I see, but it's weird that "perform the fetch" isn't passed to the algorithm (or is an official optional parameter). @domenic that might be worth cleaning up. |
|
I moved this to whatwg/html#6339. |
|
I missed the comment here: #1518 (comment) |
|
Fixed in #1568 |
Am I missing something or does
register()not perform a same origin check anywhere?The text was updated successfully, but these errors were encountered: