- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Wed, 05 Nov 2014 20:10:44 -0800
- To: public-webapps@w3.org
Received on Tuesday, 11 November 2014 23:51:49 UTC
Hey guys, I am implementing CSP for Workers in Firefox, but like to get a clarification on workers and the sandbox flag. Currently, a Worker can inherit or be accompanied by a CSP header. As written, the implications of the sandbox directive on the Worker context is not clear. [Following up on https://github.com/w3c/webappsec/issues/69] Arguably most of the sandbox flags don't make sense for Workers, but the empty directive (i.e., just sandbox) and sandbox allow-same-origin can have reasonable semantics. So, if a Worker inherits the CSP from the owner document (or parent worker in later specs) or is accompanied by a CSP header which has the 'sandbox' directive, should the worker script's origin be set to a unique origin? Or should we just ignore (and appropriately warn about) the sandbox flag for Workers and address the need for sandboxed Workers separately? Thanks, Deian
Received on Tuesday, 11 November 2014 23:51:49 UTC