W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [CSP] Directive to disallow a response from being used as a Service Worker

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 24 Jul 2014 15:28:40 -0700
Message-ID: <CAPfop_2ic-w4OKvg19hX2UF+BfNgGUdK2c4rR3JFMba+rXvcJw@mail.gmail.com>
To: Joshua Peek <josh@joshpeek.com>
Cc: Mike West <mkwst@google.com>, Ilya Grigorik <igrigorik@google.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevankesteren@gmail.com>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
>   GET https://raw.githubusercontent.com/worker.js
>   Content-Security-Policy: sandbox
>
> I'd expect the registration to fail since `worker.js` should be
> considered a separate origin.

That' a pretty cool idea. Currently, sandbox, I believe, only really
talks about what to do for an html page but but this seems like a
simple way to disable service worker registration for a particular JS
file.

> Regarding a custom Content-Type for service workers, if we established
> some sort of file extension convention like "foo.serviceworker.js", we
> could configured our /etc/mime.types for GitHub Pages static serving.
>

Exactly. Github itself could establish this as a convention and in all
probability it might become more broadly adopted.

cheers
Dev
Received on Thursday, 24 July 2014 22:29:30 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC