W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [CSP] Directive to disallow a response from being used as a Service Worker

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 29 Jul 2014 09:35:13 -0700
Message-ID: <CAEeYn8inX9EhB2js3zKgdUMVoWCzceyBi3n-ZUVNTD82M9TDtA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joshua Peek <josh@joshpeek.com>, Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Ilya Grigorik <igrigorik@google.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>
I think the requirement that service workers be same-origin means that
content sandboxed to a unique origin not being able to load a service
worker is a consequence that just naturally falls out.

I don't know that we want to specifically make it more restrictive
than that, because there are proposals floating around to sandbox
named sub-origins that could be shared by several resources, in which
case I could easily imagine service workers being used within those.

On Tue, Jul 29, 2014 at 9:26 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Tue, Jul 29, 2014 at 6:19 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> Well, a non-same-origin service worker doesn't make sense anyway, and
>> neither do any of the current sandbox directives, so I'm not sure
>> there is a good case for using sandbox on service workers except in
>> this manner to disable them.
>
> Wouldn't a specific header be better in that case? Or maybe if the
> page is sandboxed it should not be able to have a service worker?
>
>
> --
> http://annevankesteren.nl/
Received on Tuesday, 29 July 2014 16:35:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC