Closed yutakahirano closed 3 years ago
yutakahirano
commented
4 years ago cc: @annevk @nhiroki
My understanding is that a worker should inherit its owner set documents' HTTPS state, and the assertion should be fixed accordingly. Please let me know if you think otherwise.
Related to https://github.com/web-platform-tests/wpt/pull/22929.
annevk
commented
4 years ago Thanks for spotting that, agreed! See also https://github.com/whatwg/html/issues/5254 for some additional complexity due to data URL workers. (To be clear, we took on that complexity as we also wanted sandboxed workers in due course, which would have a similar model.)
nhiroki
commented
4 years ago +1.
For reference, the HTML spec defines that a data URL worker has an opaque origin:
The origin: Return a unique opaque origin if worker global scope's url's scheme is "data", and inherited origin otherwise.
And, the Fetch spec defines a response for a data URL has fetch client's HTTPS state, that is, the document's HTTPS state:
"data":
- Return a response whose status message is
OK, header list consist of a single header whose name isContent-Typeand value is dataURLStruct’s MIME type, serialized, body is dataURLStruct’s body, and HTTPS state is request’s client’s HTTPS state if request’s client is non-null.
annevk
commented
4 years ago https://github.com/whatwg/html/pull/5659 resolved this, but since this specification doesn't appear to be maintained, leaving this open for now for visibility.
annevk
commented
3 years ago Solved by #84.
https://w3c.github.io/webappsec-secure-contexts/#is-settings-object-contextually-secure states:
The assertion is confusing or wrong, because a worker can be created from a data URL, and in that case the worker is not same origin with its parent context.