W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: Interaction with Workers (was Re: setTimeout error handling)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 29 Mar 2011 15:13:35 -0700
Message-ID: <4D92598F.7020207@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
I had a feeling that might be the response.  Okay, I'll add this to the
issue tracker as well: base restrictions (modulo
restriction-disabling-options) to be enforced inside Workers.

(and I promise the issue tracker items will be converted to hg
changesets in the coming days).

-Brandon


On 03/29/2011 03:05 PM, Adam Barth wrote:
> It seems randomly complex to enforce some, but not all, of the
> restrictions on workers.  We should either enforce them all or enforce
> none of them.
> 
> Adam
> 
> 
> On Tue, Mar 29, 2011 at 3:06 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
>> The current Gecko implementation does enforce the script-src
>> restrictions on importScripts, but does *not* enforce the
>> no-code-into-strings base restriction inside Workers.
>>
>> The thinking is that since Workers are already very much restricted from
>> the DOM and the rest of the page, and are forced to communicate through
>> postMessage, that imposing this base restriction there is needless.  In
>> order to exploit this, the page has to do something unsafe with the data
>> returned by the Worker (like pass it to eval), and those things are
>> already restricted by CSP.
>>
>> Does that seem reasonable?
>>
>> -Brandon
Received on Tuesday, 29 March 2011 22:11:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 29 March 2011 22:11:27 GMT