- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 29 Jul 2014 18:12:08 +0200
- To: Joshua Peek <josh@joshpeek.com>
- Cc: Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Ilya Grigorik <igrigorik@google.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
On Fri, Jul 25, 2014 at 12:05 AM, Joshua Peek <josh@joshpeek.com> wrote:
> Couldn't CSP sandbox apply to service workers?
>
> GET https://raw.githubusercontent.com/worker.html
> navigator.serviceWorker.register('worker.js').
>
> GET https://raw.githubusercontent.com/worker.js
> Content-Security-Policy: sandbox
>
> I'd expect the registration to fail since `worker.js` should be
> considered a separate origin.
But that does seem a bit weird as sandboxing would then only work for
workers if you use allow-same-origin, which seems rather confusing.
How would you envision sandboxing for workers to work in general?
--
http://annevankesteren.nl/
Received on Tuesday, 29 July 2014 16:12:38 UTC