Service-Worker-Allowed can be cross-origin to the script URL. #1307
Comments
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Apr 23, 2018
Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Apr 23, 2018
Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#552639}
aarongable
pushed a commit
to chromium/chromium
that referenced
this issue
Apr 23, 2018
Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#552639}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Apr 23, 2018
Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#552639}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Apr 30, 2018
…Allowed test to WPT., a=testonly Automatic update from web-platform-testsservice worker: Upstream Service-Worker-Allowed test to WPT. Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#552639} -- wpt-commits: a8a8377b1ecb700709c923f3e72b513eedb3c0c2 wpt-pr: 10569
|
@mattto We tripped into a similar issue, however, in our case everything was on the same origin. When doing, This failed with the error The fix is to add the |
|
@aleemb that's off-topic for this issue. It seems like the error message provides the reason (if you can inject a service worker script somewhere we don't want to easily let it take over the entire domain). |
mfalken
added a commit
to mfalken/ServiceWorker
that referenced
this issue
May 22, 2019
* Require Service-Worker-Allowed to be same-origin to the script URL (w3c#1307) * Add non-normative explanation of Service-Worker-Allowed (w3c#1405) and other mitigations. The text is highly inspired by https://infrequently.org/2014/12/psa-service-workers-are-coming/.
|
Just checking, @aliams @asutherland @wanderview @youennf @jakearchibald does this change sound good? The proposal is The WPT that would change is here: https://wpt.fyi/results/service-workers/service-worker/Service-Worker-Allowed-header.https.html?label=master&product=chrome%5Bexperimental%5D&product=edge&product=firefox%5Bexperimental%5D&product=safari%5Bexperimental%5D&aligned According to the results, Edge implements the proposed change, and the other browsers implement the current spec. There is no particular reason for the change, it just seems odd for the value to be a URL whose origin is ignored; if we wanted to do that it should just be specified as a path. On the other hand, if the spec churn isn't worth it, I can just drop this. |
|
I think you should make this change as it's indicative of something going wrong that developers should get to know early on. (I can't quite find an attack angle, but that shouldn't be the bar.) |
|
Gecko changed to conform to the spec and tests, ignoring the origin, in https://bugzilla.mozilla.org/show_bug.cgi?id=1532303. That said, I think the proposed change makes sense as the pre-patch spec behavior is very silly. |
|
+1 for making the change. |
mfalken
added a commit
to mfalken/ServiceWorker
that referenced
this issue
May 29, 2019
* Require Service-Worker-Allowed to be same-origin to the script URL (w3c#1307) * Add non-normative explanation of Service-Worker-Allowed (w3c#1405) and other mitigations. The text is highly inspired by https://infrequently.org/2014/12/psa-service-workers-are-coming/.
mfalken
added a commit
that referenced
this issue
May 29, 2019
* Require Service-Worker-Allowed to be same-origin to the script URL (#1307) * Add non-normative explanation of Service-Worker-Allowed (#1405) and other mitigations. The text is highly inspired by https://infrequently.org/2014/12/psa-service-workers-are-coming/.
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
May 30, 2019
The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
May 30, 2019
The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#664886}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
May 30, 2019
The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#664886}
|
Spec and WPT changed. Browser bugs at: |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Jun 19, 2019
…er-Allowed test to match spec., a=testonly Automatic update from web-platform-tests service worker: WPT: update Service-Worker-Allowed test to match spec. The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#664886} -- wp5At-commits: 46d44f68be1d4347372cc1ff71861994916a1114 wpt-pr: 17096
xeonchen
pushed a commit
to xeonchen/gecko
that referenced
this issue
Jun 19, 2019
…er-Allowed test to match spec., a=testonly Automatic update from web-platform-tests service worker: WPT: update Service-Worker-Allowed test to match spec. The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#664886} -- wp5At-commits: 46d44f68be1d4347372cc1ff71861994916a1114 wpt-pr: 17096
marcoscaceres
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Jul 23, 2019
The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <[email protected]> Commit-Queue: Matt Falkenhagen <[email protected]> Cr-Commit-Position: refs/heads/master@{#664886}
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
Oct 2, 2019
…Allowed test to WPT., a=testonly Automatic update from web-platform-testsservice worker: Upstream Service-Worker-Allowed test to WPT. Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <nhirokichromium.org> Commit-Queue: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#552639} -- wpt-commits: a8a8377b1ecb700709c923f3e72b513eedb3c0c2 wpt-pr: 10569 UltraBlame original commit: f6395e92c3b3c723ed033ffdd201059bf91ab9ab
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
Oct 3, 2019
…Allowed test to WPT., a=testonly Automatic update from web-platform-testsservice worker: Upstream Service-Worker-Allowed test to WPT. Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <nhirokichromium.org> Commit-Queue: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#552639} -- wpt-commits: a8a8377b1ecb700709c923f3e72b513eedb3c0c2 wpt-pr: 10569 UltraBlame original commit: f6395e92c3b3c723ed033ffdd201059bf91ab9ab
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
Oct 3, 2019
…Allowed test to WPT., a=testonly Automatic update from web-platform-testsservice worker: Upstream Service-Worker-Allowed test to WPT. Also add test cases for Service-Worker-Allowed header values that are absolute URLs. Currently Chrome accepts SWA header values that are cross-origin to the script URL since it seems to only care about the path of the URL. It seems strange but that seems to agree with the spec: w3c/ServiceWorker#1307 Bug: 688116 Change-Id: I6dca55ea8525803efd2e55bf4166c863d62d31fa Reviewed-on: https://chromium-review.googlesource.com/1023672 Reviewed-by: Hiroki Nakagawa <nhirokichromium.org> Commit-Queue: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#552639} -- wpt-commits: a8a8377b1ecb700709c923f3e72b513eedb3c0c2 wpt-pr: 10569 UltraBlame original commit: f6395e92c3b3c723ed033ffdd201059bf91ab9ab
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this issue
Oct 4, 2019
…er-Allowed test to match spec., a=testonly Automatic update from web-platform-tests service worker: WPT: update Service-Worker-Allowed test to match spec. The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <wanderviewchromium.org> Commit-Queue: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#664886} -- wp5At-commits: 46d44f68be1d4347372cc1ff71861994916a1114 wpt-pr: 17096 UltraBlame original commit: 4336a0f5160d9faf14a76d6c008297cf1dd37a1b
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this issue
Oct 4, 2019
…er-Allowed test to match spec., a=testonly Automatic update from web-platform-tests service worker: WPT: update Service-Worker-Allowed test to match spec. The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <wanderviewchromium.org> Commit-Queue: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#664886} -- wp5At-commits: 46d44f68be1d4347372cc1ff71861994916a1114 wpt-pr: 17096 UltraBlame original commit: 4336a0f5160d9faf14a76d6c008297cf1dd37a1b
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this issue
Oct 4, 2019
…er-Allowed test to match spec., a=testonly Automatic update from web-platform-tests service worker: WPT: update Service-Worker-Allowed test to match spec. The spec changed recently at w3c/ServiceWorker#1307. Also refactor the tests to eliminate duplicate code and properly cleanup. Bug: 968436 Change-Id: I56d649769a64d064dc7342961dd6c4763df7e037 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1637019 Reviewed-by: Ben Kelly <wanderviewchromium.org> Commit-Queue: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#664886} -- wp5At-commits: 46d44f68be1d4347372cc1ff71861994916a1114 wpt-pr: 17096 UltraBlame original commit: 4336a0f5160d9faf14a76d6c008297cf1dd37a1b
|
for me, I tested it within a subdomain, I had the same issue described above, and was able to solve it by changing the scope: '/', ---> scope: '.', app.js |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed we don't have WPT tests for Service-Worker-Allowed and started upstreaming Chrome's.
While doing that I added test cases for when SWA is an absolute URL, and found that Chrome accepts SWA that is cross-origin to the script URL, since it only looks at the path of the SWA. That seems a bit surprising. For example, this works if run on https://my-origin.com:
That seems to agree with the spec which has these steps:
I believe that parsing an absolute URL with a cross-origin base URL ends up ignoring base URL, based on results from
new URL()(correct me if I'm wrong...).I think we should error on cross-origin SWA from the script URL though. Firefox seems to be doing this. Here is error output when script URL is same-origin as the scope at resources/empty-worker.js, and SWA was a cross-origin:
Failed to register a ServiceWorker: The path of the provided scope ‘http://127.0.0.1:8001/service-workers/service-worker/resources/this-scope-is-normally-allowed’ is not under the max scope allowed ‘https://www1.web-platform.test:8444/’. Adjust the scope, move the Service Worker script, or use the Service-Worker-Allowed HTTP header to allow the scope.
The text was updated successfully, but these errors were encountered: