W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

[webappsec] Clarifying how CSP sandboxing applies to Workers, ServiceWorkers

From: Brad Hill <hillbrad@fb.com>
Date: Mon, 1 Dec 2014 21:42:02 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D0A220C1.19D7%hillbrad@fb.com>
We talked on list in the past about using CSP + sandbox to disable

I'd like to propose adding the following normative note to the sandbox
In CSP.  I believe this is already implied by:



but it would be good to make it specific as all the sandboxing algorithms
reference only apply to Documents, not "headless" script execution


Note: When delivered via an HTTP header, a Content Security Policy may
    sandboxing be applied to a JavaScript execution environment that
    is not an HTML Document. One such scenario of particular interest is
    content intended to be used for the creation of a Web Worker, Shared
Worker or
    Service Worker.  While many of the sandboxing flags do not apply to
    environments, if the sandbox directive delivered with the resource
    to create a worker implies the <code>sandboxed scripts browsing
    context flag</code>, or, if the sandbox directive delivered with
    such a resource implies the <code>sandboxed origin browsing context
    flag</code> and the creation of the new execution context requires
    it be same-origin with its creating context, abort the processing
    for the creation of the new script environment with a network error.

Received on Monday, 1 December 2014 21:42:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC