Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP worker-src doesn't match where workers are loaded from #26700

Open
dbkr opened this issue Dec 5, 2023 · 2 comments
Open

CSP worker-src doesn't match where workers are loaded from #26700

dbkr opened this issue Dec 5, 2023 · 2 comments
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Major Severely degrades major functionality or product features, with no satisfactory workaround T-Defect

Comments

@dbkr
Copy link
Member

dbkr commented Dec 5, 2023

Steps to reproduce

For the develop deployment, our CSP in the meta tag has a worker-src of 'self' blob: https://element-web-develop.element.io;. This would suggest that it ought to be able to load workers from https://element-web-develop.element.io, however when #26698 happened, worker loads 301ed to a location on the above origin and then failed to load.

It may be that redirects are simply unsupported for worker loading under CSPs, but if so are we loading workers from that origin at all? If not, we should remove it.

Outcome

What did you expect?

What happened instead?

Operating system

No response

Browser information

No response

URL for webapp

No response

Application version

No response

Homeserver

No response

Will you send logs?

No
@dbkr dbkr added the T-Defect label Dec 5, 2023
@t3chguy
Copy link
Member

t3chguy commented Dec 5, 2023

It may be that redirects are simply unsupported for worker loading under CSPs, but if so are we loading workers from that origin at all? If not, we should remove it.

The fallback redirect applies to the entire bundle directory

@florianduros florianduros added S-Major Severely degrades major functionality or product features, with no satisfactory workaround O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Dec 6, 2023
@richvdh
Copy link
Member

richvdh commented Jan 23, 2025

It may be that redirects are simply unsupported for worker loading under CSPs, but if so are we loading workers from that origin at all? If not, we should remove it.

The fallback redirect applies to the entire bundle directory

@t3chguy I'm slightly unclear what this means, in practice. Are you saying that the worker-src does match where workers are loaded from (in which case, this issue is incorrect and should probably be closed)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Major Severely degrades major functionality or product features, with no satisfactory workaround T-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dbkr @richvdh @t3chguy @florianduros