Re: CSP sandboxing and workers from Oda, Terri on 2014-06-03 (public-webappsec@w3.org from June 2014)

From: Oda, Terri <terri.oda@intel.com>
Date: Mon, 2 Jun 2014 17:47:31 -0700
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CACoC0R9yRzCVja8MS=NXA_+e5UDJo5pfg5oKi6VKW6faaHtaYA@mail.gmail.com>

On Mon, Jun 2, 2014 at 9:04 AM, Brad Hill <hillbrad@gmail.com> wrote:

> A wider point of possible confusion here - we need to make sure
> developers understand they can't use CSP to enforce restrictions like
> sandboxing on a script file.  (I've had very smart people ask me about
> this in the past - the model of what is a "resource" from the
> browser's internals is not immediately obvious to everyone.)
> (...)
> Among "JavaScript global environment", "document environment",
> "dedicated worker environment", "shared worker
> environment", and "worker environment", where does CSP state live and
> what loads get to influence it?  Maybe a table would be helpful.

+1 to the idea of a table.

While I haven't directly gotten that question, I could definitely see it
coming up, and I know I have had similar confused questions about same
origin that seem to be answered most clearly with a table.

Received on Tuesday, 3 June 2014 00:48:00 UTC