W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [CSP] Directive to disallow a response from being used as a Service Worker

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 29 Jul 2014 18:12:08 +0200
Message-ID: <CADnb78jX7DRyDKHxiQjD9FERwbJeKJuT=Q7sh6wPKbPTU9ZpVg@mail.gmail.com>
To: Joshua Peek <josh@joshpeek.com>
Cc: Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Ilya Grigorik <igrigorik@google.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
On Fri, Jul 25, 2014 at 12:05 AM, Joshua Peek <josh@joshpeek.com> wrote:
> Couldn't CSP sandbox apply to service workers?
>   GET https://raw.githubusercontent.com/worker.html
>   navigator.serviceWorker.register('worker.js').
>   GET https://raw.githubusercontent.com/worker.js
>   Content-Security-Policy: sandbox
> I'd expect the registration to fail since `worker.js` should be
> considered a separate origin.

But that does seem a bit weird as sandboxing would then only work for
workers if you use allow-same-origin, which seems rather confusing.
How would you envision sandboxing for workers to work in general?

Received on Tuesday, 29 July 2014 16:12:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC