- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 29 Jul 2014 09:35:13 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Joshua Peek <josh@joshpeek.com>, Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Ilya Grigorik <igrigorik@google.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
I think the requirement that service workers be same-origin means that content sandboxed to a unique origin not being able to load a service worker is a consequence that just naturally falls out. I don't know that we want to specifically make it more restrictive than that, because there are proposals floating around to sandbox named sub-origins that could be shared by several resources, in which case I could easily imagine service workers being used within those. On Tue, Jul 29, 2014 at 9:26 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Jul 29, 2014 at 6:19 PM, Brad Hill <hillbrad@gmail.com> wrote: >> Well, a non-same-origin service worker doesn't make sense anyway, and >> neither do any of the current sandbox directives, so I'm not sure >> there is a good case for using sandbox on service workers except in >> this manner to disable them. > > Wouldn't a specific header be better in that case? Or maybe if the > page is sandboxed it should not be able to have a service worker? > > > -- > http://annevankesteren.nl/
Received on Tuesday, 29 July 2014 16:35:43 UTC