Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent opaque requests being used in response to client requests #590

Closed
jakearchibald opened this issue Dec 12, 2014 · 11 comments
Closed

Comments

@jakearchibald
Copy link
Contributor

(for "client requests" see https://www.w3.org/Bugs/Public/show_bug.cgi?id=27595)

If an opaque response is used for a client request, it breaks the security model as you can then inspect the contents of the response if it executes script.

Eg: I could respond to a request for my home page with a no-cors response from gmail, then I can catch one of the script requests it makes & respond with my own request that queries page contents.

@annevk we can easily add this to the ServiceWorker spec, but do you think it fits better in the Fetch spec along with rules like 1.2.2 in https://fetch.spec.whatwg.org/#http-fetch ?

Chrome seems to already prevent this happening.

@annevk
Copy link
Member

annevk commented Dec 12, 2014

For client requests related to workers this is not possible since those require same-origin responses. I guess the mode for "form" et al is "no-cors" so we do indeed have an issue of sorts there.

Is anything but opaque response okay in those scenarios? E.g. if the SW passes a CORS response back the UA would need to enforce the CORS filtered response limitations otherwise you could embed something in an <iframe> and get more data out of it.

@jakearchibald
Copy link
Contributor Author

if the SW passes a CORS response back the UA would need to enforce the CORS filtered response limitations otherwise you could embed something in an <iframe> and get more data out of it.

What does an iframe expose that a CORS response wouldn't? I suppose a header such as Link: </styles.css>; REL=stylesheet could be detected as you'd see the request for styles.css.

@annevk
Copy link
Member

annevk commented Dec 16, 2014

Yup.

@jakearchibald
Copy link
Contributor Author

If that's a problem then only allow basic responses.

@annevk
Copy link
Member

annevk commented Apr 5, 2015

My reasoning was not very sound I think (removed offending comments). A request for a client is obviously same-origin with the client due to service workers having to be same-origin. Therefore, requiring a basic response seems fine.

@jakearchibald would this change work:

In https://fetch.spec.whatwg.org/#http-fetch we introduce a new substep within step 2 that returns a network error if request is a client request and response's type is not "basic" or "default".

Also paging @nikhilm and @wanderview for additional review.

@ehsan
Copy link

ehsan commented Apr 6, 2015

LGTM.

@horo-t
Copy link
Member

horo-t commented Apr 15, 2015

Filed http://crbug.com/474914

@jpjitendrapal
Copy link

How one can differentiate if one request is 404 or not in case of opaque type?

@wanderview
Copy link
Member

How one can differentiate if one request is 404 or not in case of opaque type?

You cannot differentiate them.

@hanguokai
Copy link
Member

A question, I want to use Cache API independently to cache no-cors images(because many CDN images no cors header) in windowed scopes not in service worker. In this condition, fetch's response is opaque. I can use cache.put() to save opaque image to cache, but how can I use this cache to restore image? Service worker can response opaque cache response, but in windowed scopes it can't use opaque image cache to create image or URL.createObjectURL() .

@mkruisselbrink
Copy link
Collaborator

Unfortunately you'd need something like whatwg/fetch#49 (i.e. being able to pass a Response object to an img tag) to be able to do that without having a service worker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants