PSA: Secure context fix for dedicated workers

39 views
Skip to first unread message

Titouan Rigoudy

unread,
Mar 2, 2022, 9:41:54 AM3/2/22
to blink-dev

Contact emails

tit...@chromium.org

Specification

https://html.spec.whatwg.org/C/#secure-contexts

Summary

Dedicated workers loaded from a secure (HTTPS) origin yet instantiated by insecure (non-HTTPS) contexts are no longer considered secure. This results in the following web developer facing changes inside such worker contexts: - `self.isSecureContext` is now `false` - `self.caches` and `self.storageFoundation` are no longer available This aligns Blink behavior with the specification and Gecko.



Blink component

Blink>SecurityFeature>SecureContexts

Risks



Interoperability and Compatibility

Interoperability risk is negative? Gecko is already shipping this behavior. WebKit is not, because it also deviates from the specification. In general, this increases the interoperability of the web platform. Compatibility risk is the main issue here. Usage data from the beta channel shows ~0.08% of page visits potentially affected by this change, which is surprisingly high: https://chromestatus.com/metrics/feature/timeline/popularity/4103 Those pages instantiate a worker that is incorrectly classified as secure. This means those workers have access to APIs (`self.caches` and `self.storageFoundation` being the only ones on `WorkerGlobalScope`) that they should not have access to. Note that this overestimates the compatibility risk, since not all such workers actually rely on those APIs. In particular, since Gecko implements the spec correctly, such workers would already not work in that engine.



Gecko: Shipped/Shipping

WebKit: No signal

Web developers: No signals

Other signals:

Security

This change is security-positive.



Debuggability

N/A.



Is this feature fully tested by web-platform-tests?

Yes

Flag name

SecureContextFixForWorkers

Requires code in //chrome?

False

Tracking bug

https://crbug.com/780031

Estimated milestones

DevTrial on desktop99
DevTrial on android99


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5651456005767168

This intent message was generated by Chrome Platform Status.

Chris Harrelson

unread,
Mar 2, 2022, 10:46:16 AM3/2/22
to Titouan Rigoudy, blink-dev
I think this is fine and makes sense to run as a PSA, thanks for sending it. My only ask is to reply again if any site compat bugs are encountered.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPATO9e47NxnXqARVH15WXNbFKXcjjDXur%2BfzzbKO-czO6xC9Q%40mail.gmail.com.

Titouan Rigoudy

unread,
Mar 2, 2022, 11:01:25 AM3/2/22
to Chris Harrelson, blink-dev
Will do! I'll post back here if we run into trouble.

Cheers,
Titouan
Reply all
Reply to author
Forward
0 new messages