Proposal: relax csp to allow web workers#3751
Draft
mnutt wants to merge 1 commit intosandstorm-io:masterfrom
Draft
Proposal: relax csp to allow web workers#3751mnutt wants to merge 1 commit intosandstorm-io:masterfrom
mnutt wants to merge 1 commit intosandstorm-io:masterfrom
Conversation
Collaborator
|
I'm not opposed conceptually but CSP is a realm I have truly minimal expertise. |
ocdtrekkie
added
enhancement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is opened as a draft for discussion only.
Back in 2020 it came to light that allowing Service Workers would allow them to modify response headers and potentially allow external requests to leak. The fix was
worker-src 'none'. Unfortunately this had the side effect of also disallowing Web Workers.Web Workers can be really useful for a lot of applications that need to do anything moderately complex on the front end. In my case, I'm trying to get a LibreOffice app to work but it requires a web worker. I could disable CSP at the server level but that doesn't feel like the right solution.
Web Workers (to my knowledge) don't have the same potential security issues as Service Workers, but there is no way to target just Service Workers. (link) (link)
In the meantime, I think we should be able to protect against Service Workers by instead limiting all worker loads to
'self'and then rejecting the actual Service Worker http requests. I'm not 100% sure of this solution, but it seems to work from what I can tell?