W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP sandboxing and workers

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 2 Jun 2014 09:13:26 -0700
Message-ID: <CAEeYn8gcCON4B1sR+cpb8uM7MFZsF3Lxv8Yq3sb2V1qmA80kKw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mike@mikewest.org>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
Sure, I understand.  But I have gotten questions in the past from
smart folks about whether they could, e.g. use CSP / sandboxing to
control execution of script resources served from their domain when
they are included by off-origin resources.

On Mon, Jun 2, 2014 at 9:08 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Mon, Jun 2, 2014 at 6:04 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> Among "JavaScript global environment", "document environment",
>> "dedicated worker environment", "shared worker
>> environment", and "worker environment", where does CSP state live and
>> what loads get to influence it?  Maybe a table would be helpful.
>
> CSP is at the same level, roughly. Though there is some mixing when it
> comes to nested environments.
>
>
> --
> http://annevankesteren.nl/
Received on Monday, 2 June 2014 16:13:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC