WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
261734
CORP headers mishandled inside Worker
https://bugs.webkit.org/show_bug.cgi?id=261734
Summary
CORP headers mishandled inside Worker
Jozef Chutka
Reported
2023-09-19 06:10:32 PDT
Reproduction steps: Have
https://domain-a/index.html
served with headers: ``` Cross-Origin-Opener-Policy same-origin Cross-Origin-Embedder-Policy require-corp ``` and content: ``` <script> const content = `import { foo } from "
https://domain-b/module.js
";`; const blob = new Blob([content], {type:"text/javascript"}); new Worker(URL.createObjectURL(blob), {type:"module"}); </script> ``` And have
https://domain-b/module.js
served with headers: ``` Access-Control-Allow-Origin * Access-Control-Expose-Headers * Cross-Origin-Resource-Policy: cross-origin ``` and whatever content: ``` console.log("hello"); ``` This is a valid combination of COOP/COEP vs. CORP headers, however running
https://domain-a/index.html
in safari 16.6 fails to load the module.js with the following console error: ``` [Error] Refused to load '
https://domain-b/module.js
' worker because of Cross-Origin-Embedder-Policy. [Error] Worker load was blocked by Cross-Origin-Embedder-Policy [Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0) [Error] Cannot load
https://domain-b/module.js
due to access control checks. [Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0) [Error] Importing a module script failed. ``` Changing the content of index.html to something like: ``` <script src="
https://domain-b/module.js
"></script> ``` ...will load correctly, confirming the headers are correctly set, and the issue is related to Worker sandbox.
Attachments
Add attachment
proposed patch, testcase, etc.
Jozef Chutka
Comment 1
2023-09-20 02:15:40 PDT
The workaround is to replace: ``` import { foo } from "
https://domain-b/module.js
" ``` by fetch + import function ``` const response = await fetch("
https://domain-b/module.js
"); const blob = await response.blob(); const { pipeline } = await import(URL.createObjectURL(blob)); ``` Considering fetch() is allowed to load a url while static import declaration is blocked, it seems to me the bug in safari has something to do with security for static import declarations.
Radar WebKit Bug Importer
Comment 2
2023-09-26 06:11:15 PDT
<
rdar://problem/116051307
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug