[whatwg/fetch] Consider preserving destination on `new Request(request)` (#717) from Ben Kelly on 2018-04-25 (public-webapps-github@w3.org from April 2018)

From: Ben Kelly <notifications@github.com>
Date: Wed, 25 Apr 2018 13:57:26 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/717@github.com>

Consider the situation described in this blog post:

https://qubyte.codes/blog/content-security-policy-and-service-workers

Essentially a site has set a CSP policy of `default-src self; img-src *` on all its served resources. The intent is to restrict cross-origin resource loads to only images.

This works on a normal page, but does not work when the CSP is applied to the service worker script. The service worker script does `fetch(evt.request)` which triggers a network request with an empty string destination. This in turn causes the CSP check to fall back to default-src and fail.

I think we should consider preserving the destination when an existing Request is passed as the constructor input. We would only clear the destination if any of the init params are passed to alter the Request. So basically another thing to sanitize under step 14 in:

https://fetch.spec.whatwg.org/#dom-request

This would allow the service worker to have a CSP policy like `default-src self; img-src *` and perform pass through fetch requests for images. It effectively expresses that the service worker is allowed to perform cross-origin network requests on behalf of the browser only for images. Only the browser can mint destination "image" requests.

The risks of doing this seem to be:

1. The service worker could consume the cross-origin image request in a different way than passing it to respondWith(). If its able to force some other kind of data through an img element src URL, then maybe it could access non-image data.
2. The service worker could put the "image" destination Request in Cache API and pull it out to use later.

I'm not sure how bad these risks are. It just seems unfortunate that we effectively require service workers with pass-through fetch handlers like this to disable their CSP protections in the service worker. Effectively the site has to let their service worker fetch() *any* cross-origin resources if it wants to support pass-through fetch of a specific thing like cross-origin images.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/717

Received on Wednesday, 25 April 2018 20:57:50 UTC