search

w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
209 stars 78 forks source link

Relax CSP source path matching when response is replaced by service worker e.g. redirects #261

Open aliams opened 7 years ago

aliams commented 7 years ago

The CSP post-request check algorithm deliberately relaxes its source path match sub-algorithm when a response is redirected in order to avoid leaking information about redirects via CSP violation reporting to a foreign origin. In the same way, browsers relax the source path matching algorithm when a response is replaced by a service worker. While there is currently no hard spec requirement for this, at least one W3C test case [1] requires it.

Note that the primary issue is when the service worker has chased redirects instead of the client context. Normally fetch will relax the source path match when it sees the request's redirect count > 0 for the security reason mentioned. However this redirect count is a field on the request which is not updated (at least per the spec) from the service worker's response. Either we need to update this count so at least the same policy relaxation on redirections works for service workers, or we need to completely relax the policy whenever a service worker has handled a response, which would be broad enough to cover the redirect case automatically.

References: [1] https://w3c-test.org/service-workers/service-worker/fetch-csp.https.html [2] https://w3c.github.io/webappsec-csp/#match-url-to-source-expression

annevk commented 7 years ago

Step 10 of https://fetch.spec.whatwg.org/#concept-main-fetch is supposed to handle the service worker case by performing a CSP check on the response (which has the redirect chain stored on it in its url list).

andypaicu commented 6 years ago

It seems to me like the issue has been answered by @annevk so it can be closed.

aliams commented 6 years ago

Indeed, fetch calls into CSP on the response per step 10 of main fetch, but if I’m not mistaken, CSP pivots off the request’s redirect count rather than the response’s url list (see https://w3c.github.io/webappsec-csp/#match-response-to-source-list). If that’s the case, we won’t catch the service worker redirect case because the request redirect count is not updated from the service worker response. See references to https://fetch.spec.whatwg.org/#concept-request-redirect-count and note that this value is not updated if the redirects are performed in the service worker context, only in the client context.

annevk commented 6 years ago

@wanderview do we update the redirect count here internally? I'd assume we don't.

Seems better if CSP uses the url list concept.