Re: [CSP] Directive to disallow a response from being used as a Service Worker

On Fri, Jul 25, 2014 at 12:05 AM, Joshua Peek <josh@joshpeek.com> wrote:
> Couldn't CSP sandbox apply to service workers?
>
>   GET https://raw.githubusercontent.com/worker.html
>   navigator.serviceWorker.register('worker.js').
>
>   GET https://raw.githubusercontent.com/worker.js
>   Content-Security-Policy: sandbox
>
> I'd expect the registration to fail since `worker.js` should be
> considered a separate origin.

But that does seem a bit weird as sandboxing would then only work for
workers if you use allow-same-origin, which seems rather confusing.
How would you envision sandboxing for workers to work in general?


-- 
http://annevankesteren.nl/

Received on Tuesday, 29 July 2014 16:12:38 UTC