Re: [webappsec] Clarifying how CSP sandboxing applies to Workers, ServiceWorkers from Brad Hill on 2014-12-01 (public-webappsec@w3.org from December 2014)

From: Brad Hill <hillbrad@fb.com>
Date: Mon, 1 Dec 2014 22:13:26 +0000
To: Deian Stefan <deian@cs.stanford.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D0A227C4.19E0%hillbrad@fb.com>

As workers are specified today, yes.  I would also like to see
Cross-Origin + Sandboxed workers in the future, which is why
I broke this requirement out into two clauses, so we can
go in that direction if needed or desired.

-Brad

On 12/1/14, 2:04 PM, "Deian Stefan" <deian@cs.stanford.edu> wrote:

>
>Brad Hill <hillbrad@fb.com> writes:
>
>> We talked on list in the past about using CSP + sandbox to disable
>> ServiceWorkers.
>>
>> I'd like to propose adding the following normative note to the sandbox
>> directive
>> In CSP.  I believe this is already implied by:
>>
>> 
>>https://urldefense.proofpoint.com/v1/url?u=https://w3c.github.io/webappse

>>c/specs/content-security-policy/%23which-policy&k=ZVNjlDMF0FElm4dQtryO4A%
>>3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=7acoPOm%2FtJLyjVOHYIhl6pyZ
>>WaINFLI34ulkTSLXzBQ%3D%0A&s=d5a94e6cd51962408afc744af0983500b17b22e8bb14c
>>c13180d3dff6249a57e
>> -applies 
>>
>> but it would be good to make it specific as all the sandboxing
>>algorithms
>> we
>> reference only apply to Documents, not "headless" script execution
>> contexts.
>>
>>
>> Proposal:
>> ======================
>>
>> Note: When delivered via an HTTP header, a Content Security Policy may
>> indicate
>>     sandboxing be applied to a JavaScript execution environment that
>>     is not an HTML Document. One such scenario of particular interest is
>> script
>>     content intended to be used for the creation of a Web Worker, Shared
>> Worker or
>>     Service Worker.  While many of the sandboxing flags do not apply to
>> such
>>     environments, if the sandbox directive delivered with the resource
>> used 
>>     to create a worker implies the <code>sandboxed scripts browsing
>>     context flag</code>, or, if the sandbox directive delivered with
>>     such a resource implies the <code>sandboxed origin browsing context
>>     flag</code> and the creation of the new execution context requires
>>     it be same-origin with its creating context, abort the processing
>> model 
>>     for the creation of the new script environment with a network error.
>
>I support something along these lines. I do have a question: for Workers
>wouldn't this always imply that you can't create a Worker with a fresh
>origin? (I am happy to discuss sandboxed workers as a separate feature.)
>
>Deian

Received on Monday, 1 December 2014 22:14:17 UTC