W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP: workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 16 May 2013 18:35:56 +0100
Message-ID: <CADnb78gw2rJm4X8fA3gC6hF2uuV1dPoBP2NrdcZ_YYuZ5=+h3g@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Ian Hickson <ian@hixie.ch>, WebAppSec WG <public-webappsec@w3.org>
On Thu, May 16, 2013 at 6:29 PM, Alex Russell <slightlyoff@google.com> wrote:
> I don't think this makes sense. The worker has permissions to do things
> which hosting documents (of which there must be at least one) can do, and
> that means that if I host a worker from a doucment, it should apply the same
> policy as the document that begat it.

We will have workers, such as controllers and probably event workers
long term, that will run when there are no documents around.

> This is why I've been advocating the splitting when policies differ.

That turns the basic guarantee of origin + shared name into origin +
shared name + CSP of which CSP can be outside the control of the
person writing the scripts. That seems like a bad idea.

Received on Thursday, 16 May 2013 17:36:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC