[Connection-Allowlist] Service workers support#60279
Merged
Merged
Conversation
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-7597226
branch
3 times, most recently
from
89d51b8 to
acee1f1
Compare
This CL subjects service worker scripts to the Connection Allowlists of the initiator context and subresource fetches from the worker to its own Connection Allowlists. If a document does a fetch which is intercepted by a SW, then we need to first check the document's CA to make sure we are not forwarding a CA-forbidden request to the SW. We accomplish this by the blink side check since the document's URLLoaderFactory does not get invoked and the SW URLLoaderFactory is directly invoked from the renderer. Tests for these are in ConnectionAllowlistTest.ServiceWorker*. Service Worker's script fetch and subresources fetch related changes are described below. Also renames the content/browser/connection_allowlist_gating.* to content/browser/connection_allowlist_utils.* since the new function added is not just about gating. 1. Main Script Fetch: In ServiceWorkerRegisterJob::StartScriptFetchForNewWorker, the loader factory is created via GetLoaderFactoryForMainScriptFetch passing creator_network_restrictions_id_. This ensures that the network factory used to request the main script is tagged with the creator's restrictions ID. 2. Once the main script response is received in ServiceWorkerNewScriptFetcher::OnReceiveResponse, the allowlist headers (if any) are parsed and propagated to WorkerScriptFetcherResult. If parsed_headers is null (such as for extension service workers loaded via custom loaders), we fallback to creating an empty ParsedHeaders object. 3. Update Checks (ServiceWorkerUpdateChecker & ServiceWorkerSingleScriptUpdateChecker) In ServiceWorkerRegisterJob::UpdateAndContinue, GetLoaderFactoryForUpdateCheck is called with creator_network_restrictions_id_. The update checker's URLLoaderFactory is tagged with the creator's restrictions ID so soft update checks are correctly restricted by the creator's allowlist. 4. Worker Subresource Fetches (EmbeddedWorkerInstance & ServiceWorkerVersion) Registration with the Network Service: Before starting the worker thread in ServiceWorkerVersion::DidEnsureLiveRegistrationForStartWorker, MaybeRegisterNetworkRestrictions is called. This registers the worker's connection allowlists (retrieved from its policy_container_host_) under its own network_restrictions_id_ with the network service. Subresource Loader Factories: In EmbeddedWorkerInstance::CreateFactoryBundle, both the factory bundle for new scripts (used during installation) and the factory bundle for the renderer (used for subresource fetches in global scope) are created with owner_version_->network_restrictions_id(). The network service tags these factories with the worker's own restrictions ID. 5. Database Persistence & Restoration (ServiceWorkerRegistry) Storage: During StoreRegistration, the worker's policies (including connection allowlists) are retrieved from its policy container host and serialized into the mojo struct ServiceWorkerRegistrationData::policy_container_policies. This is saved to disk. Restoration: In GetOrCreateRegistration, when restoring a saved worker, its policies are loaded from the database. The creator_network_restrictions_id is set to nullopt (since the creator frame is gone), and a new network_restrictions_id is generated. When the restored worker is started, its restored connection allowlists are re-registered with the network service under the new ID. It's ok to retrieve its script without any connection allowlist checks since those checks succeeded the first time it was fetched. The worker's policy container is persisted so its own Connection Allowlists will be checked for any of its subresource requests. Since web based service workers cannot be from a local scheme (added WPTs to verify this), we don't add any specific inheritance for CA but the calls to ShouldServiceWorkerInheritPolicyContainerFromCreator() should also inherit CA policies (for non-web based workers like from extensions). Bug: 492456052 Change-Id: Ib3465977c5f23899d40f01c4c534909230636f08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7597226 Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Commit-Queue: Shivani Sharma <shivanisha@chromium.org> Reviewed-by: Xiaochen Zhou <xiaochenzh@chromium.org> Cr-Commit-Position: refs/heads/main@{#1640577}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-7597226
branch
from
acee1f1 to
63ba862
Compare
wpt-pr-bot
approved these changes
Jun 3, 2026
Collaborator
wpt-pr-bot
left a comment
wpt-pr-bot
left a comment
There was a problem hiding this comment.
The review process for this patch is being conducted in the Chromium project.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This CL subjects service worker scripts to the Connection Allowlists
of the initiator context and subresource fetches from the worker to its
own Connection Allowlists.
If a document does a fetch which is intercepted by a SW, then we need
to first check the document's CA to make sure we are not forwarding
a CA-forbidden request to the SW. We accomplish this by the blink side
check since the document's URLLoaderFactory does not get invoked and the
SW URLLoaderFactory is directly invoked from the renderer. Tests for
these are in ConnectionAllowlistTest.ServiceWorker*.
Service Worker's script fetch and subresources fetch related changes
are described below.
Also renames the content/browser/connection_allowlist_gating.* to content/browser/connection_allowlist_utils.* since the new function added is not just about gating.
In ServiceWorkerRegisterJob::StartScriptFetchForNewWorker, the loader
factory is created via GetLoaderFactoryForMainScriptFetch passing
creator_network_restrictions_id_. This ensures that the network factory
used to request the main script is tagged with the creator's
restrictions ID.
ServiceWorkerNewScriptFetcher::OnReceiveResponse, the allowlist headers
(if any) are parsed and propagated to WorkerScriptFetcherResult.
If parsed_headers is null (such as for extension service workers loaded
via custom loaders), we fallback to creating an empty ParsedHeaders
object.
ServiceWorkerSingleScriptUpdateChecker)
In ServiceWorkerRegisterJob::UpdateAndContinue,
GetLoaderFactoryForUpdateCheck is called with creator_network_restrictions_id_.
The update checker's URLLoaderFactory is tagged with the creator's
restrictions ID so soft update checks are correctly restricted by the
creator's allowlist.
ServiceWorkerVersion)
Registration with the Network Service: Before starting the worker thread
in ServiceWorkerVersion::DidEnsureLiveRegistrationForStartWorker,
MaybeRegisterNetworkRestrictions is called.
This registers the worker's connection allowlists (retrieved from its
policy_container_host_) under its own network_restrictions_id_ with the
network service.
Subresource Loader Factories: In
EmbeddedWorkerInstance::CreateFactoryBundle, both the factory bundle for
new scripts (used during installation) and the factory bundle for the
renderer (used for subresource fetches in global scope) are created with
owner_version_->network_restrictions_id().
The network service tags these factories with the worker's own
restrictions ID.
Storage: During StoreRegistration, the worker's policies (including
connection allowlists) are retrieved from its policy container host and
serialized into the mojo struct
ServiceWorkerRegistrationData::policy_container_policies. This is saved
to disk.
Restoration:
In GetOrCreateRegistration, when restoring a saved worker, its policies
are loaded from the database.
The creator_network_restrictions_id is set to nullopt (since the creator
frame is gone), and a new network_restrictions_id is generated.
When the restored worker is started, its restored connection allowlists
are re-registered with the network service under the new ID. It's ok to
retrieve its script without any connection allowlist checks
since those checks succeeded the first time it was fetched. The worker's
policy container is persisted so its own Connection Allowlists will
be checked for any of its subresource requests.
Since web based service workers cannot be from a local scheme (added
WPTs to verify this), we don't add any specific inheritance for CA but
the calls to ShouldServiceWorkerInheritPolicyContainerFromCreator()
should also inherit CA policies (for non-web based workers like from
extensions).
Bug: 492456052
Change-Id: Ib3465977c5f23899d40f01c4c534909230636f08
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7597226
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Shivani Sharma <shivanisha@chromium.org>
Reviewed-by: Xiaochen Zhou <xiaochenzh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1640577}