Nonce attribute for Web Worker

[mikewest]

From @Nadoedalo on September 2, 2015 11:52

Seems that there is no way to set nonce attribute for a Web Worker in order to allow sandbox to do whatever it wants. Maybe there must be a way to set nonce-attribute in header or/and in script string/attribute?

I'm trying to run every unsafe-code in web worker's sandbox but only Chrome understands separate policy for the worker. And because of that I need to run 'unsafe-eval' policy just because I'm using template engine, and that can cause issues and not really offering me a protection.
Here are some links :

Firefox bug tracker
Stackoverflow question

Copied from original issue: w3c/webappsec#464

[mikewest]

I don't really follow what you're trying to do. Can you help me understand with some sample code?

[mikewest]

From @Nadoedalo on September 2, 2015 13:6

I have following CSP header default-src 'self';
And header for sandbox.js default-src 'none'; script-src 'unsafe-eval';
And then I run new Function() in sandbox.js like that :
var worker = new window.Worker('sandbox.js');
and posting message with template and data

What I'm trying to do - run any eval-code in sandbox so it can't get or transphere data. And even if the result of template will be <script> it won't be running because there it isn't allowed to do so.

It is clear that csp-header should be applied to Web Worker with it's own policy, but it isn't anywhere exept of Chrome, and when the policy is voilated - Firefox, for exmaple, refers to original policy for the whole window.

So I thought that there can be anouther way - with nonce attribute. You can actually allow one script to do whatever it wants, so it can be applied to worker in order to allow unsafe-eval only there.

the whole code example :

/*sandbox.js file*/
(function(self){
    self.addEventListener('message', function(e){
        var data = JSON.parse(e.data),
        template = _.template(data.template)(data.data);
        self.postMessage({
            template : template
        });
    });
    self.importScripts('http://underscorejs.org/underscore-min.js');
    return self;
}(self));
/*templace-call function*/
function secureTemplate(template, data){
    var promise = new Promise(function(resolve, reject){
        worker = window._webWorker || new window.Worker('sandbox.js');
        function workerListener(e){
          resolve(e.data.template);
          worker.removeEventListener('message', workerListener.bind(this));
        }
        window._webWorker = worker;
        worker.addEventListener('message', workerListener.bind(this));
        worker.postMessage(JSON.stringify({
          template : template,
          data : data
        }));
    });
    return promise;
}
/*call*/
secureTemplate('<%=name%>', {name : 'Nadoedalo'}).then(function(html){
  console.log(html);
})

so if name had <script>alert(1)</script> it will be processed later if unsafe-eval exists, and I have 'unsafe-eval' directive to support Underscore's _.template(wich runs new Function). But I could reject 'unsafe-eval' directive if I had nonce-attribute set and could run Web Worker with it.

But maybe functional separate policy for Web Worker is just fine, the thing is it is not supported yet.

[mikewest]

After waffling a bit, we've specified the worker model such that the worker inherits the policy from the page that instantiates it. I think this is taken care of today. Hopefully that deals with your use-case.