[Webkit-unassigned] [Bug 278990] New: Worker cannot read File when "CSP: sandbox allow-scripts" is enabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Sep 1 12:14:42 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=278990

            Bug ID: 278990
           Summary: Worker cannot read File when "CSP: sandbox
                    allow-scripts" is enabled
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: macOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jacob at bandes-stor.ch

Created attachment 472393

  --> https://bugs.webkit.org/attachment.cgi?id=472393&action=review

test page with worker that reads a file

Reading a file (e.g. `await file.slice(0, 10).arrayBuffer()`) fails inside a Worker if the page was sandboxed with `Content-Security-Policy: sandbox allow-scripts;`.

**Steps to reproduce:**
1. Download sandboxtest.html attached to this bug
2. In the terminal, run:
     while true; do cat sandboxtest.html | nc -l 8080; done
3. In Safari, open http://localhost:8080
4. Open the dev tools console, you should see "hi from worker" indicating the worker was initialized successfully.
5. Click "choose file" and select any file.

**Expected behavior:**
The console shows "read file in main thread: [file contents here]", and "worker received message" with the file object, and "read file in worker: [file contents here]".

This works as expected in Chrome and Firefox.

**Actual behavior:**
The worker is unable to read the file. Error messages appear in the console, including:
- Not allowed to load local resource: blob:null/e9db8288-35fb-471a-a9a0-1c05ad1d8f8c
- Cannot load blob:null/e9db8288-35fb-471a-a9a0-1c05ad1d8f8c due to access control checks.
- Failed to load resource: Not allowed to request resource
- Unhandled Promise Rejection: NotReadableError: The I/O read operation failed.

If you modify sandboxtest.html to remove the "Content-Security-Policy: sandbox allow-scripts;" line at the top, then the worker is able to read the file.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240901/138b71a9/attachment.htm>

More information about the webkit-unassigned mailing list