W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP sandboxing and workers

From: Mike West <mkwst@google.com>
Date: Tue, 3 Jun 2014 10:45:28 +0200
Message-ID: <CAKXHy=f6FnUSKpQ=TvL12UM5cyP30t2g3Dk-Q0S+NZgTyVZHOQ@mail.gmail.com>
To: "Oda, Terri" <terri.oda@intel.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
What would you expect such a table to contain?

Sorry, I don't think I've understood the points around which you've heard
developer confusion, Brad.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Jun 3, 2014 at 2:47 AM, Oda, Terri <terri.oda@intel.com> wrote:

> On Mon, Jun 2, 2014 at 9:04 AM, Brad Hill <hillbrad@gmail.com> wrote:
>
>> A wider point of possible confusion here - we need to make sure
>> developers understand they can't use CSP to enforce restrictions like
>> sandboxing on a script file.  (I've had very smart people ask me about
>> this in the past - the model of what is a "resource" from the
>> browser's internals is not immediately obvious to everyone.)
>> (...)
>>
>> Among "JavaScript global environment", "document environment",
>> "dedicated worker environment", "shared worker
>> environment", and "worker environment", where does CSP state live and
>> what loads get to influence it?  Maybe a table would be helpful.
>>
>
> +1 to the idea of a table.
>
> While I haven't directly gotten that question, I could definitely see it
> coming up, and I know I have had similar confused questions about same
> origin that seem to be answered most clearly with a table.
>
Received on Tuesday, 3 June 2014 08:46:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC