"Is an environment settings object contextually secure?" does not deal with nested workers

w3c / webappsec-secure-contexts

WebAppSec Secure Contexts

https://w3c.github.io/webappsec-secure-contexts/

Other

33 stars 38 forks source link

"Is an environment settings object contextually secure?" does not deal with nested workers #56

Closed annevk closed 3 years ago

annevk commented 6 years ago

Per HTML you can have a dedicated worker inside a dedicated worker. Or a shared worker inside a dedicated worker. At that point it's owner set won't include a Document object, meaning they're always treated as secure.

bzbarsky commented 6 years ago

In Gecko, a worker with a parent worker inherits secure context state from the parent worker. See https://searchfox.org/mozilla-central/rev/769222fadff46164f8cc0dc7a0bae5a60dc2f335/dom/workers/WorkerPrivate.cpp#2632 and compare to the toplevel worker case at https://searchfox.org/mozilla-central/rev/769222fadff46164f8cc0dc7a0bae5a60dc2f335/dom/workers/WorkerPrivate.cpp#2649-2655

bzbarsky commented 6 years ago

Oh, and Gecko does not support SharedWorker inside a dedicated worker, so we don't end up having to worry about that case..

annevk commented 4 years ago

https://github.com/whatwg/html/pull/5659 resolved this, but since this specification doesn't appear to be maintained, leaving this open for now for visibility.

annevk commented 3 years ago

Sorted by #84.