Re: Clarification of CSP sandbox and workers from Ian Hickson on 2014-11-12 (public-webapps@w3.org from October to December 2014)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 12 Nov 2014 21:02:25 +0000 (UTC)
To: Mike West <mkwst@google.com>
cc: Anne van Kesteren <annevk@annevk.nl>, Deian Stefan <deian@cs.stanford.edu>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <alpine.DEB.2.00.1411122102000.7063@ps20323.dreamhostps.com>

On Wed, 12 Nov 2014, Mike West wrote:
>
> The CSP spec should just delegate to HTML here. If/when HTML defines 
> sandboxing with regard to Workers, CSP will just start using those 
> hooks.
> 
> I'd agree, for example, that it does appear that sandboxing a worker 
> into a unique origin could be interesting. It's not clear to me whether 
> any of the other flags would be useful, though.
> 
> Ian, WDYT?

Happy to add features if browsers are going to implement them. Just file a 
bug describing what the feature is. :-)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 12 November 2014 21:02:51 UTC