- From: Brad Hill <hillbrad@fb.com>
- Date: Mon, 1 Dec 2014 21:42:02 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
We talked on list in the past about using CSP + sandbox to disable ServiceWorkers. I'd like to propose adding the following normative note to the sandbox directive In CSP. I believe this is already implied by: https://w3c.github.io/webappsec/specs/content-security-policy/#which-policy -applies but it would be good to make it specific as all the sandboxing algorithms we reference only apply to Documents, not "headless" script execution contexts. Proposal: ====================== Note: When delivered via an HTTP header, a Content Security Policy may indicate sandboxing be applied to a JavaScript execution environment that is not an HTML Document. One such scenario of particular interest is script content intended to be used for the creation of a Web Worker, Shared Worker or Service Worker. While many of the sandboxing flags do not apply to such environments, if the sandbox directive delivered with the resource used to create a worker implies the <code>sandboxed scripts browsing context flag</code>, or, if the sandbox directive delivered with such a resource implies the <code>sandboxed origin browsing context flag</code> and the creation of the new execution context requires it be same-origin with its creating context, abort the processing model for the creation of the new script environment with a network error.
Received on Monday, 1 December 2014 21:42:26 UTC