- From: Brad Hill <hillbrad@fb.com>
- Date: Wed, 19 Nov 2014 00:29:51 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Added IE 11 behavior for iframe sandbox. Even more fun inconsistencies now. On 11/18/14, 3:40 PM, "Brad Hill" <hillbrad@fb.com> wrote: >I've started a document here comparing Chrome vs. Firefox behavior for >sandboxing with workers. > >https://docs.google.com/document/d/1V3qYOkI2or_d59-t7E3nWMx48T3iDWoSzyYs1S >1 >K_fU/edit?usp=sharing > >Notable items: > > location.origin reports the origin even when inside an origin > sandbox that tests as null elsewhere. > > Firefox supports the sandbox attribute of iframe, but not the > sandbox CSP directive. > > Chrome is consistent in its handling of sandboxing whether applied > from CSP or iframe. > > Firefox allows creation of Workers from data: urls, Chrome does > not. > > Chrome does not support sub-Workers. (The Worker constructor is > undefined in a worker environment) > > Firefox supports sub-Workers. > > Workers in Firefox cannot create sub-Workers form a blob: (no > window.URL.createObjectURL method). But they can create sub- > Workers from a data: url. > > Otherwise, they agree pretty well, except that Chrome reports the > location.origin of a blob created with allow-same-origin as the > origin of the creating page, or the string "://" if from a > sandboxed origin, and Firefox always reports location.origin of a > blob as "null". > > >Still need to think about what behavior is most sensible to try to >specify, but thought I'd share early results to spur discussion. > >-Brad >
Received on Wednesday, 19 November 2014 00:30:17 UTC