[Webkit-unassigned] [Bug 261734] New: CORP headers mishandled inside Worker

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 19 06:10:32 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=261734

            Bug ID: 261734
           Summary: CORP headers mishandled inside Worker
           Product: WebKit
           Version: Safari 16
          Hardware: Mac (Apple Silicon)
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jozefchutka at gmail.com
                CC: beidson at apple.com

Reproduction steps:

Have https://domain-a/index.html served with headers:

```
Cross-Origin-Opener-Policy same-origin
Cross-Origin-Embedder-Policy require-corp
```

and content:

```
<script>
const content = `import { foo } from "https://domain-b/module.js";`;
const blob = new Blob([content], {type:"text/javascript"});
new Worker(URL.createObjectURL(blob), {type:"module"});
</script>
```

And have https://domain-b/module.js served with headers:

```
Access-Control-Allow-Origin *
Access-Control-Expose-Headers *
Cross-Origin-Resource-Policy: cross-origin
```

and whatever content:

```
console.log("hello");
```

This is a valid combination of COOP/COEP vs. CORP headers, however running https://domain-a/index.html in safari 16.6 fails to load the module.js with the following console error:

```
[Error] Refused to load 'https://domain-b/module.js' worker because of Cross-Origin-Embedder-Policy.
[Error] Worker load was blocked by Cross-Origin-Embedder-Policy
[Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0)
[Error] Cannot load https://domain-b/module.js due to access control checks.
[Error] Failed to load resource: Worker load was blocked by Cross-Origin-Embedder-Policy (module.js, line 0)
[Error] Importing a module script failed.
```

Changing the content of index.html to something like:

```
<script src="https://domain-b/module.js"></script>
```

...will load correctly, confirming the headers are correctly set, and the issue is related to Worker sandbox.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230919/3540605a/attachment.htm>

More information about the webkit-unassigned mailing list