NEW278990
Worker cannot read File when "CSP: sandbox allow-scripts" is enabled 
https://bugs.webkit.org/show_bug.cgi?id=278990
Summary Worker cannot read File when "CSP: sandbox allow-scripts" is enabled
Jacob Bandes-Storch
Reported 2024-09-01 12:14:42 PDT
Created attachment 472393 [details] test page with worker that reads a file Reading a file (e.g. `await file.slice(0, 10).arrayBuffer()`) fails inside a Worker if the page was sandboxed with `Content-Security-Policy: sandbox allow-scripts;`. **Steps to reproduce:** 1. Download sandboxtest.html attached to this bug 2. In the terminal, run: while true; do cat sandboxtest.html | nc -l 8080; done 3. In Safari, open http://localhost:8080 4. Open the dev tools console, you should see "hi from worker" indicating the worker was initialized successfully. 5. Click "choose file" and select any file. **Expected behavior:** The console shows "read file in main thread: [file contents here]", and "worker received message" with the file object, and "read file in worker: [file contents here]". This works as expected in Chrome and Firefox. **Actual behavior:** The worker is unable to read the file. Error messages appear in the console, including: - Not allowed to load local resource: blob:null/e9db8288-35fb-471a-a9a0-1c05ad1d8f8c - Cannot load blob:null/e9db8288-35fb-471a-a9a0-1c05ad1d8f8c due to access control checks. - Failed to load resource: Not allowed to request resource - Unhandled Promise Rejection: NotReadableError: The I/O read operation failed. If you modify sandboxtest.html to remove the "Content-Security-Policy: sandbox allow-scripts;" line at the top, then the worker is able to read the file.
Attachments
test page with worker that reads a file (1.01 KB, text/html)
2024-09-01 12:14 PDT, Jacob Bandes-Storch 		no flags
Details
screenshot showing the issue still occurs in STP 202 (474.91 KB, image/png)
2024-09-04 21:03 PDT, Jacob Bandes-Storch 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Karl Dubost
Comment 1 2024-09-03 23:46:01 PDT
Tested in Safari Technology Preview 202 20620.1.2 Firefox Nightly 131.0a1 13124.8.23 Google Chrome Canary 130.0.6680.0 6680.0 Safari [Log] hi from worker (fd1c2293-b9c3-409a-94a2-2e869d5d45c8, line 2) [Log] got file (testcase.html, line 25) [Log] read file in main thread: – "3c 21 44 4f 43 54 59 50 45 20" (testcase.html, line 28) [Log] worker received message – {file: File} (fd1c2293-b9c3-409a-94a2-2e869d5d45c8, line 4) {file: File}Object [Log] read file in worker: – "3c 21 44 4f 43 54 59 50 45 20" (fd1c2293-b9c3-409a-94a2-2e869d5d45c8, line 6) Firefox hi from worker 5b9674ee-90ce-4170-940a-adfeb846d2a6:2:15 got file testcase.html:25:15 read file in main thread: 3c 21 44 4f 43 54 59 50 45 20 testcase.html:28:15 worker received message Object { file: File } 5b9674ee-90ce-4170-940a-adfeb846d2a6:4:17 read file in worker: 3c 21 44 4f 43 54 59 50 45 20 5b9674ee-90ce-4170-940a-adfeb846d2a6:6:17 Chrome hi from worker testcase.html:25 got file testcase.html:28 read file in main thread: 3c 21 44 4f 43 54 59 50 45 20 8c423481-6b4f-47b4-aa9a-b8b1bb704ab3:4 worker received message {file: File} 8c423481-6b4f-47b4-aa9a-b8b1bb704ab3:6 read file in worker: 3c 21 44 4f 43 54 59 50 45 20 Jacob, which safari version did you use? Is it fixed for you with STP 202?
Jacob Bandes-Storch
Comment 2 2024-09-04 21:02:56 PDT
Hi there, thanks for the quick reply. I just tested in STP 202 (macOS 14.6.1 23G93) and I see the same issue, "Not allowed to load local resource". In case it was missed, please note that to reproduce the issue you must use `nc -l` as mentioned in the original report, for the CSP header to be set. (See screenshot attached)
Jacob Bandes-Storch
Comment 3 2024-09-04 21:03:37 PDT
Created attachment 472458 [details] screenshot showing the issue still occurs in STP 202
Radar WebKit Bug Importer
Comment 4 2024-09-08 12:15:13 PDT
<rdar://problem/135511936>
Ryan Reno
Comment 5 2025-08-29 11:00:11 PDT
This is happening because we're applying the sandbox to all documents or global scopes when the spec says we should only be applying the sandbox to workers. (See the sandbox initialization algorithm here: https://w3c.github.io/webappsec-csp/#sandbox-init) The effect of "over sandboxing" causes the file resource loaded from the main thread to have a different opaque origin from the worker's blob. The fix is to follow the standard and not set sandbox flags on a document or global scope unless it is a worker.
Ryan Reno
Comment 6 2025-08-29 11:59:03 PDT
Actually it's a little more complex than that but the gist of it is we're blocking resources because we're applying sandboxing in an overly restrictive way.
Note You need to log in before you can comment on or make changes to this bug.