Serviceworker: register() lacks same origin check

Created on 15 Jun 2020  路  9Comments  路  Source: w3c/ServiceWorker

Am I missing something or does register() not perform a same origin check anywhere?

security-tracker

All 9 comments

The "Start Register" algorithm has some checks in step 3 and 4:

  • step 3 checks that scheme is http or https
  • step 4 checks that the scriptURL's path doesn't contain "%2F" or "%5C".

The only invokation of Start Register is in ServiceWorkerContainer.register(), which does not apply any checks, just parsing in step 3.

P.S.: This issue filed was based on a question I had directed at @annevk based on folks requesting subresource integrity support for ServiceWorkers - which is providing most of its on cross-origin resources only.

Start Register schedules a "Register" job, which ends up invoking https://w3c.github.io/ServiceWorker/#register-algorithm, which does do same origin checks in step 2 and 3 (the "referrer" is set to "client's creation URL" in the register() method.

This definitely could be cleaned up more to make it clearer. I remember there was a good reason for making this this complicated back when I spec'ed header-based installation, but that was a bad idea anyway. So probably it could be done much more straight forward.

Thanks, though note that it does not actually do a same origin check. It checks if _A_ is _B_, not if _A_ is same origin with _B_. Those are different checks.

What happens in case of a cross-origin redirect?

Per step 5 of "perform the fetch" here:

https://w3c.github.io/ServiceWorker/#update-algorithm

The request.redirect mode is set to "error".

I see, but it's weird that "perform the fetch" isn't passed to the algorithm (or is an official optional parameter). @domenic that might be worth cleaning up.

Fixed in #1568

Was this page helpful?
0 / 5 - 0 ratings