mixed content and CSP checks should be run after SW handles fetch event #77
Comments
|
Main fetch, step 11 is the right place I think. I'm waiting for w3c/webappsec#227 to get fixed. |
|
Oh I see. It seems Main fetch step 11 already handles the case for mixed content. It is just missing a check for CSP there. Right? |
|
Yes, because CSP lacks an algorithm that takes a response per the aforementioned issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently Main Fetch step 4 says:
"If should fetching request be blocked as mixed content or should fetching request be blocked as content security returns blocked, set response to a network error."
This is designed to honor mixed content and CSP restrictions.
These checks, however, are dependent on the request context of the fetch. In the case of a SW handling a fetch event, it may perform a fetch() with a "fetch" request context which is different than the FetchEvent.request's context. This means the resulting Response may end up violating the intercepted network interceptions mixed content and CSP rules.
I think HTTP fetch step 2.2 needs to perform the same mixed content and CSP checks using the original FetchEvent.request's context and the returned Response's tainting.
The text was updated successfully, but these errors were encountered: