W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP sandboxing and workers

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 4 Jun 2014 08:06:34 -0700
Message-ID: <CAEeYn8ixA4RykNRpRO=jayo8UNMYY1wjE1WyR5y1pcVMT73DUw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Oda, Terri" <terri.oda@intel.com>, WebAppSec WG <public-webappsec@w3.org>
I'll make a proposal, I think the discussion on SVG (e.g. whether the
including context's CSP policy propagates into the SVG execution context)
will also be relevant here.


On Tue, Jun 3, 2014 at 1:45 AM, Mike West <mkwst@google.com> wrote:

> What would you expect such a table to contain?
>
> Sorry, I don't think I've understood the points around which you've heard
> developer confusion, Brad.
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Tue, Jun 3, 2014 at 2:47 AM, Oda, Terri <terri.oda@intel.com> wrote:
>
>> On Mon, Jun 2, 2014 at 9:04 AM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>> A wider point of possible confusion here - we need to make sure
>>> developers understand they can't use CSP to enforce restrictions like
>>> sandboxing on a script file.  (I've had very smart people ask me about
>>> this in the past - the model of what is a "resource" from the
>>> browser's internals is not immediately obvious to everyone.)
>>> (...)
>>>
>>> Among "JavaScript global environment", "document environment",
>>> "dedicated worker environment", "shared worker
>>> environment", and "worker environment", where does CSP state live and
>>> what loads get to influence it?  Maybe a table would be helpful.
>>>
>>
>> +1 to the idea of a table.
>>
>> While I haven't directly gotten that question, I could definitely see it
>> coming up, and I know I have had similar confused questions about same
>> origin that seem to be answered most clearly with a table.
>>
>
>
Received on Wednesday, 4 June 2014 15:07:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC