Clarification of CSP sandbox and workers from Deian Stefan on 2014-11-06 (public-webapps@w3.org from October to December 2014)

From: Deian Stefan <deian@cs.stanford.edu>
Date: Wed, 05 Nov 2014 20:10:44 -0800
To: public-webapps@w3.org
Message-ID: <87ioitt1dn.fsf@cs.stanford.edu>

Hey guys,

I am implementing CSP for Workers in Firefox, but like to get a
clarification on workers and the sandbox flag. Currently, a Worker can
inherit or be accompanied by a CSP header. As written, the implications
of the sandbox directive on the Worker context is not clear.

[Following up on https://github.com/w3c/webappsec/issues/69]

Arguably most of the sandbox flags don't make sense for Workers, but the
empty directive (i.e., just sandbox) and sandbox allow-same-origin can
have reasonable semantics.  So, if a Worker inherits the CSP from the
owner document (or parent worker in later specs) or is accompanied by a
CSP header which has the 'sandbox' directive, should the worker script's
origin be set to a unique origin?  Or should we just ignore (and
appropriately warn about) the sandbox flag for Workers and address the
need for sandboxed Workers separately?

Thanks,
Deian

Received on Tuesday, 11 November 2014 23:51:49 UTC