Source/modules/serviceworkers/ServiceWorkerContainer.cpp - Issue 400903002: Check that Service Workers are registered from secure origins.

Unified Diff: Source/modules/serviceworkers/ServiceWorkerContainer.cpp

Issue 400903002: Check that Service Workers are registered from secure origins. (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Tidy up unused files. Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « Source/modules/modules.gypi ('k') | Source/modules/serviceworkers/ServiceWorkerContainerTest.cpp » ('j') | Source/modules/serviceworkers/ServiceWorkerContainerTest.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/modules/serviceworkers/ServiceWorkerContainer.cpp

diff --git a/Source/modules/serviceworkers/ServiceWorkerContainer.cpp b/Source/modules/serviceworkers/ServiceWorkerContainer.cpp

index 20fbb0e2c45ddfaa25e0a8baf266025fe0bb9bb3..8f50e9ac932cd792c887c3e4d541bd65127a0658 100644

--- a/Source/modules/serviceworkers/ServiceWorkerContainer.cpp

+++ b/Source/modules/serviceworkers/ServiceWorkerContainer.cpp

@@ -94,19 +94,26 @@ ScriptPromise ServiceWorkerContainer::registerServiceWorker(ScriptState* scriptS

return promise;

}

+ // FIXME: This should use the container's execution context, not

+ // the callers.

ExecutionContext* executionContext = scriptState->executionContext();

RefPtr<SecurityOrigin> documentOrigin = executionContext->securityOrigin();

+ if (!documentOrigin->canAccessFeatureRequiringSecureOrigin()) {

+ resolver->reject(DOMException::create(SecurityError, "Service Workers are only supported over secure origins."));

+ return promise;

+ }

KURL patternURL = executionContext->completeURL(options.scope);

patternURL.removeFragmentIdentifier();

if (!documentOrigin->canRequest(patternURL)) {

- resolver->reject(DOMException::create(SecurityError, "Can only register for patterns in the document's origin."));

+ resolver->reject(DOMException::create(SecurityError, "The scope must match the current origin."));

return promise;

}

KURL scriptURL = executionContext->completeURL(url);

scriptURL.removeFragmentIdentifier();

if (!documentOrigin->canRequest(scriptURL)) {

- resolver->reject(DOMException::create(SecurityError, "Script must be in document's origin."));

+ resolver->reject(DOMException::create(SecurityError, "The origin of the script must match the current origin."));

return promise;

}

@@ -138,11 +145,18 @@ ScriptPromise ServiceWorkerContainer::unregisterServiceWorker(ScriptState* scrip

return promise;

}

+ // FIXME: This should use the container's execution context, not

+ // the callers.

RefPtr<SecurityOrigin> documentOrigin = scriptState->executionContext()->securityOrigin();

+ if (!documentOrigin->canAccessFeatureRequiringSecureOrigin()) {

horo 2014/07/22 06:18:22 Why do you check it here? I think we don't need to

+ resolver->reject(DOMException::create(SecurityError, "Service Workers are only supported over secure origins."));

+ return promise;

+ }

KURL patternURL = scriptState->executionContext()->completeURL(pattern);

patternURL.removeFragmentIdentifier();

if (!pattern.isEmpty() && !documentOrigin->canRequest(patternURL)) {

- resolver->reject(DOMException::create(SecurityError, "Can only unregister for patterns in the document's origin."));

+ resolver->reject(DOMException::create(SecurityError, "The scope must match the current origin."));

return promise;

}