VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 5, 2016· Updated May 6, 2026

CVE-2016-1682

CVE-2016-1682

Description

Blink's ServiceWorkerContainer::registerServiceWorkerImpl fails to apply Content Security Policy checks, allowing CSP bypass via ServiceWorker registration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Blink's ServiceWorkerContainer::registerServiceWorkerImpl fails to apply Content Security Policy checks, allowing CSP bypass via ServiceWorker registration.

Vulnerability

The vulnerability resides in Blink's ServiceWorkerContainer::registerServiceWorkerImpl function within WebKit/Source/modules/serviceworkers/ServiceWorkerContainer.cpp. In Google Chrome prior to version 51.0.2704.63, the function does not perform Content Security Policy (CSP) checks when registering a Service Worker. This oversight means that a Service Worker can be registered even if its script URL or execution context would otherwise be blocked by a site's CSP directive (such as child-src or worker-src). The code path is reachable via the standard navigator.serviceWorker.register() API, which is accessible to any web page running in a secure context [1][2][3].

Exploitation

An attacker who can serve a web page to a victim (either directly or through an XSS/redirect) can call navigator.serviceWorker.register() with a script URL that violates the page's CSP. No special network position is required; the attack works from any origin that can deliver JavaScript to the victim's browser. The registration request will be processed without CSP validation, allowing the Service Worker to be installed despite CSP restrictions. User interaction is not required beyond loading the malicious page [3].

Impact

Successful exploitation bypasses the Content Security Policy protection mechanism entirely. Once a Service Worker is registered, the attacker can intercept and control network requests made by the page, potentially reading or modifying response content. This can lead to information disclosure, injection of malicious content, or further attacks such as credential theft against the vulnerable origin. The attacker gains persistent control over the victim's browsing session to the affected origin, with no additional user prompts [1][2][3].

Mitigation

Google addressed this issue in Chrome 51.0.2704.63, released on June 1, 2016. The fix enforces CSP checks before registering a Service Worker, ensuring that the registration is blocked if the worker script violates the page's CSP. A code review (chromium issue 1861253004) implemented the check, aligning Chrome's behavior with Firefox's existing practice. Users should update to Chrome 51.0.2704.63 or later. Distributions such as Red Hat (via RHSA-2016:1190), Ubuntu (via USN-2992-1), and Gentoo (via GLSA 201607-07) have released corresponding updates. There is no known workaround other than applying the patched browser version [1][2][3][4].

References
  1. https://access.redhat.com/errata/RHSA-2016:1190
  2. USN-2992-1: Oxide vulnerabilities | Ubuntu security notices | Ubuntu
  3. Issue 1861253004: Check CSP before registering ServiceWorkers
  4. Multiple vulnerabilities (GLSA 201607-07) — Gentoo security

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

0

No linked articles in our index yet.