Re: [ServiceWorker] Should window.caches be removed (or readonly) for security reasons? (#698)

> It sounds like your "bad feeling" might be satisfied by a CSP header to remove all access to storage APIs in the browser.

What would be the difference between setting the CSP header that removes all access to storage APIs and not using the storage APIs in service workers?

I think it is more desirable to introduce a CSP or similar mechanism that:
* limits global APIs to read-only access
* retains full API access in service workers
* allows selecting which storage API is affected by the CSP header (or similar)

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698#issuecomment-106493351

Received on Thursday, 28 May 2015 17:07:18 UTC