Re: [ServiceWorker] under what conditions should sandboxed iframes be intercepted? (#648)

@jakearchibald I don't think `allow-scripts` should be required for interception. `allow-same-origin` puts the script in the same origin, so it seems reasonable to me to allow a SW to deal with it.

The usual reason to restrict a sandbox iframe without `allow-scripts` is that untrusted code is going into the iframe, but it needs a combination of something like `allow-same-origin` and `allow-frames`, for example, so that it can create a login form to a same-origin service. However, you don't want to allow arbitrary untrusted JavaScript to execute in the origin, since it would have the capability of effectively XSS'ing your origin.

However, the point is that `allow-scripts` is meant to restrict the *content inside the iframe* from running scripts, since *those* are untrusted. However, the Service Worker is trusted code, so there's no reason it shouldn't be allowed to interact with content inside the iframe.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/648#issuecomment-101474613

Received on Wednesday, 13 May 2015 01:12:33 UTC