-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP & cross-origin module blocks #38
Comments
I am not sure CSP is relevant here, but cross-origin likely is. I’d equate it to doing |
I don't think CORS is relevant here. OriginB already allowed OriginA visibility into the module by calling The problem isn't that OriginB's security was bypassed, it's that OriginA's CSP was bypassed. |
Yeah, this does seem like something of a leak risk. I think it should be pretty straightforward for module blocks' HTML integration to keep track of the origin where they were defined, so that such CSP rules can check it when the module is imported. |
It seems like that information will already be there to make |
Yeah there will be various kinds of things to do in HTML integration. Also they need to be keys in the module map. @surma and I plan to get started on this all tomorrow. |
From the README:
postMessage
across windows allow communication between origins, and presumably this means modules can be passed between origins. Does the CSP story still hold true?OriginA could forbid eval and forbid execution of scripts from OriginB, but OriginA could receive a module from OriginB via
window.onmessage
and instantiate it, bypassing both of those CSP rules.The text was updated successfully, but these errors were encountered: