Source map security

[jkup]

Waldemar asked at tc39 plenary if there are attack vectors that source map consumers should be aware of. Loosely around the idea of injecting sourceMappingURL comments that point to malicious pages.

Is there anything we should add to the spec about reading in the mapping URL or the HTTP header and how to do so safely?

[nicolo-ribaudo]

We should check if we are, for example, passing cookies to the fetched source map.

[ehoogeveen-medweb]

FWIW, unintentionally not passing cookies when fetching the source map has been an issue with Firefox in the past. I recently ran into (and filed) https://bugzilla.mozilla.org/show_bug.cgi?id=1899389, and there was a similar issue a few years back (with a different cause).

To summarize: If fetching a source file requires credentials, then the same credentials might be required to fetch the associated source map (although credentials sufficient to fetch the source file may not be sufficient to fetch the source map).

Obviously this should respect things like the SameSite mode and there might be CORS considerations; I'm by no means an expert on this topic, I just know that it's sometimes necessary to pass potentially sensitive cookies :)

[szuend]

I'm not sure I fully understand the attack vector we are worried about here. If an attacker can inject a "sourceMappingURL" comment into a script they could just fetch from the malicious site directly, or inject a malicous payload.

At least in Chrome, source maps are fetched via the page that's debugged. So from the outside it looks like the page just calls fetch(<sourceMappingUrl>).