- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Tue, 29 Mar 2011 15:13:35 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
I had a feeling that might be the response. Okay, I'll add this to the issue tracker as well: base restrictions (modulo restriction-disabling-options) to be enforced inside Workers. (and I promise the issue tracker items will be converted to hg changesets in the coming days). -Brandon On 03/29/2011 03:05 PM, Adam Barth wrote: > It seems randomly complex to enforce some, but not all, of the > restrictions on workers. We should either enforce them all or enforce > none of them. > > Adam > > > On Tue, Mar 29, 2011 at 3:06 PM, Brandon Sterne <bsterne@mozilla.com> wrote: >> The current Gecko implementation does enforce the script-src >> restrictions on importScripts, but does *not* enforce the >> no-code-into-strings base restriction inside Workers. >> >> The thinking is that since Workers are already very much restricted from >> the DOM and the rest of the page, and are forced to communicate through >> postMessage, that imposing this base restriction there is needless. In >> order to exploit this, the page has to do something unsafe with the data >> returned by the Worker (like pass it to eval), and those things are >> already restricted by CSP. >> >> Does that seem reasonable? >> >> -Brandon
Received on Tuesday, 29 March 2011 22:11:26 UTC