W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [CSP] Directive to disallow a response from being used as a Service Worker

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Sun, 27 Jul 2014 13:25:31 -0700
Message-ID: <CANh-dXmDq02A3-3Ab14Lhcp5izT-cGKHoctxzcXHiTgBGXgjag@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Joshua Peek <josh@joshpeek.com>, Mike West <mkwst@google.com>, Ilya Grigorik <igrigorik@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Anne van Kesteren <annevankesteren@gmail.com>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
On Thu, Jul 24, 2014 at 3:28 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>   GET https://raw.githubusercontent.com/worker.js
>>   Content-Security-Policy: sandbox
>>
>> I'd expect the registration to fail since `worker.js` should be
>> considered a separate origin.
>
> That' a pretty cool idea. Currently, sandbox, I believe, only really
> talks about what to do for an html page but but this seems like a
> simple way to disable service worker registration for a particular JS
> file.

I've tried to apply this at
https://github.com/slightlyoff/ServiceWorker/pull/389. It's clearly
not quite the wording we'll want in the long run as there's time to
fix up other specs, but I think it has the right effect for now.
Received on Sunday, 27 July 2014 20:26:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC