Re: [CSP] Directive to disallow a response from being used as a Service Worker

On Tue, Jul 22, 2014 at 1:12 AM, Jeffrey Yasskin <jyasskin@google.com> wrote:
> One way to do this would be to define a CSP directive that says in
> what contexts (http://fetch.spec.whatwg.org/#concept-request-context)
> the protected resource may be used.

This is conceptually similar to 'frame-ancestors' in that it allows a
subresource to control the way it's used by an embedder. I haven't
thought through all the impacts, but it seems like something that's
pretty reasonable to consider.

Are there cases beyond "Don't use this file as a service worker!" in
which this would be useful?

> * Are CSPs the right way to do this? Issue 224 also discusses a
> "Service-Worker: script" header that could be sent with the service
> worker script request, which would be an alternate way to let servers
> handle XSS.

Brian's Content-Type proposal makes more sense to me than a new HTTP
header entirely. I think it makes sense regardless of whether we adopt
a 'context' directive.

> * What CSP directive and values make sense for this?
> * Which spec should define this initially, CSP or Service Workers?

It should end up in CSP if that's the route we decide to take, but
there's no harm in defining it in SW to begin with. Given that CSP2
just hit LC, putting it into SW is almost certainly a faster way to
get it into an implementable state.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 22 July 2014 10:03:27 UTC