Re: CSP sandboxing and workers from Mike West on 2014-06-01 (public-webappsec@w3.org from June 2014)

From: Mike West <mike@mikewest.org>
Date: Sun, 1 Jun 2014 11:46:44 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
Message-ID: <CAJToGzNYUCmm1gWHpgENg+5aEqOx1vmHTC9kwbxj_=AxooLOLw@mail.gmail.com>

I could certainly see value in sandboxing a worker, at least for the
'allow-same-origin' bits. I'm not sure how applicable the other flags are.

-mike

On Sun, Jun 1, 2014 at 10:04 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> We should note in the specification that sandboxing only has effect
> when CSP applies to a global environment associated with a browsing
> context. It wouldn't apply to workers or e.g. a document fetched
> through XMLHttpRequest.
>
> However, we might want to have it apply to workers, maybe we should
> introduce that?
>
>
> --
> http://annevankesteren.nl/
>
>

Received on Sunday, 1 June 2014 09:47:42 UTC