Bug 261734

Summary: CORP headers mishandled inside Worker
Product: WebKit Reporter: Jozef Chutka <jozefchutka>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: annevk, beidson, cdumez, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: Mac (Apple Silicon)   
OS: Unspecified   

Description Jozef Chutka 2023-09-19 06:10:32 PDT 
Reproduction steps:

Have https://domain-a/index.html served with headers:

```
Cross-Origin-Opener-Policy same-origin
Cross-Origin-Embedder-Policy require-corp
```

and content:

```
<script>
const content = `import { foo } from "https://domain-b/module.js";`;
const blob = new Blob([content], {type:"text/javascript"});
new Worker(URL.createObjectURL(blob), {type:"module"});
</script>
```

And have https://domain-b/module.js served with headers:

```
Access-Control-Allow-Origin *
Access-Control-Expose-Headers *
Cross-Origin-Resource-Policy: cross-origin
```

and whatever content:

```
console.log("hello");
```

This is a valid combination of COOP/COEP vs. CORP headers, however running https://domain-a/index.html in safari 16.6 fails to load the module.js with the following console error:

```
[Error] Refused to load 'https://domain-b/module.js' worker because of Cross-Origin-Embedder-Policy.
[Error] Worker load was blocked by Cross-Origin-Embedder-Policy
[Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0)
[Error] Cannot load https://domain-b/module.js due to access control checks.
[Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0)
[Error] Importing a module script failed.
```

Changing the content of index.html to something like:

```
<script src="https://domain-b/module.js"></script>
```

...will load correctly, confirming the headers are correctly set, and the issue is related to Worker sandbox.
Comment 1 Jozef Chutka 2023-09-20 02:15:40 PDT 
The workaround is to replace:

```
import { foo } from "https://domain-b/module.js"
```

by fetch + import function

```
const response = await fetch("https://domain-b/module.js");
const blob = await response.blob();
const { pipeline } = await import(URL.createObjectURL(blob));
```

Considering fetch() is allowed to load a url while static import declaration is blocked, it seems to me the bug in safari has something to do with security for static import declarations.
Comment 2 Radar WebKit Bug Importer 2023-09-26 06:11:15 PDT 
<rdar://problem/116051307>