- From: Irakli Gozalishvili <notifications@github.com>
- Date: Wed, 20 Feb 2019 09:46:19 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/ServiceWorker/issues/1390/465683293@github.com>
> By using sandbox without allow-same-origin they are saying they don't trust the content of what they are going to be loading in that context and I don't think we should give it access to the service worker. But it also implies that entrusted content can conspire with server endpoint. While with ` allow-same-origin` it can effectively do whatever it's pleased to (assuming it's on same origin). > Oh right, I guess there are a bunch of subtleties I had not fully considered. I was only thinking about network requests (which would also be a different enough to maybe be a problem), but message access and such would indeed be bad. That is a good point, in the use case I'm trying to outline embedded untrusted content should not have access to SW registration nor it should be able to exchange messages. I know I'm repeating this, I appologize, what is the best way to make a case for this. Today there is no way for PWA to load untrusted content, not offline at least. There is also growing number of use cases in P2P space that would drastically benefit from a way to do so [IPFS](http://ipfs.io/), [Dat](http://datproject.org/), [SSB](https://www.scuttlebutt.nz/), [webtorrent](https://webtorrent.io/), [blockstack](http://blockstack.org/), [zeronet](https://zeronet.io/) to enumerate few. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1390#issuecomment-465683293
Received on Wednesday, 20 February 2019 17:46:42 UTC