Re: CSP sandboxing and workers

I've taken a stab at this in
https://github.com/w3c/webappsec/commit/3f2e54ccefed51f193d28549673cfb6634ad7133
.

SVG needs more work. :/

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Fri, Jun 6, 2014 at 1:17 AM, Oda, Terri <terri.oda@intel.com> wrote:

> Yes, that table is pretty much what I had envisioned from your suggestion.
>
>
> On Thu, Jun 5, 2014 at 8:25 AM, Hill, Brad <bhill@paypal.com> wrote:
>
>>  I think it could be either under Delivery or Processing Model.
>>
>>
>>
>> Terri, do you think something like this addresses your concerns?
>>
>>
>>
>> *From:* Mike West [mailto:mkwst@google.com]
>> *Sent:* Thursday, June 05, 2014 8:13 AM
>> *To:* Brad Hill
>> *Cc:* Oda, Terri; WebAppSec WG
>> *Subject:* Re: CSP sandboxing and workers
>>
>>
>>
>> Got it. I'll tweak this a bit and add it as a non-normative section under
>> Delivery (unless you have a different suggestion around where you'd like to
>> see it?) .
>>
>>
>>
>> -mike
>>
>>
>>   --
>> Mike West <mkwst@google.com>
>>
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Registergericht und -nummer: Hamburg, HRB 86891
>>
>> Sitz der Gesellschaft: Hamburg
>>
>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>
>>
>>
>> On Wed, Jun 4, 2014 at 10:39 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>> Something like this:
>>
>>
>>
>> Policies are associated with and enforced or monitored for execution
>> contexts in the browser. If a resource load does not create a new execution
>> context, e.g. when a script, img or css file is transcluded, or when a
>> resource is fetched using an XmlHttpRequest, any policies that resource is
>> delivered with are discarded, and it is be subject only to the policy or
>> policies (if any) of the including context.
>>  ------------------------------
>>
>> *Resource Type and Context*
>>
>> *What CSP Policy Applies?*
>>
>> text/html, as a top-level document loaded via navigation or creation of a
>> new browsing context
>>
>> Policy delivered with the resource
>>
>> text/html, loaded via XHR
>>
>> Policy of the context that performed the fetch
>>
>> <img>, <image>
>>
>> Policy of the including context
>>
>> text/javascript, via <script src=...>
>>
>> Policy of the including context
>>
>> text/javascript, as a Worker, Shared Worker or Service Worker
>>
>> Policy delivered with the resource, or policy of the creating context if
>> created from a Globally Unique Identifier URI scheme like data: or blob:
>>
>> SVG, inline
>>
>> Policy of the including context
>>
>> SVG, as a top-level document
>>
>> Policy delivered with the resource
>>
>> SVG, as an embedded document
>>
>> Policy delivered with the resource, or policy of the creating context if
>> created from a Globally Unique Identifier URI scheme like data: or blob:
>>
>> SVG, as a staic or animated image document
>>
>> ???
>>
>> SVG, as a resource document
>>
>> Policy of the including context
>>
>> SVG, as a font document
>>
>> ???
>>
>> <iframe>, <object> or <embed>
>>
>> What may be embedded is determined by the policy of the embedding
>> resource, but once instantiated, the execution context is governed by the
>> policy delivered with the resource, or policy of the creating context if
>> created from a Globally Unique Identifier URI scheme like data: or blob:
>>
>>
>>
>> On Wed, Jun 4, 2014 at 8:06 AM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>> I'll make a proposal, I think the discussion on SVG (e.g. whether the
>> including context's CSP policy propagates into the SVG execution context)
>> will also be relevant here.
>>
>>
>>
>> On Tue, Jun 3, 2014 at 1:45 AM, Mike West <mkwst@google.com> wrote:
>>
>> What would you expect such a table to contain?
>>
>>
>>
>> Sorry, I don't think I've understood the points around which you've heard
>> developer confusion, Brad.
>>
>>
>>
>> -mike
>>
>>
>>   --
>> Mike West <mkwst@google.com>
>>
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Registergericht und -nummer: Hamburg, HRB 86891
>>
>> Sitz der Gesellschaft: Hamburg
>>
>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>
>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>
>>
>>
>> On Tue, Jun 3, 2014 at 2:47 AM, Oda, Terri <terri.oda@intel.com> wrote:
>>
>> On Mon, Jun 2, 2014 at 9:04 AM, Brad Hill <hillbrad@gmail.com> wrote:
>>
>>  A wider point of possible confusion here - we need to make sure
>> developers understand they can't use CSP to enforce restrictions like
>> sandboxing on a script file.  (I've had very smart people ask me about
>> this in the past - the model of what is a "resource" from the
>> browser's internals is not immediately obvious to everyone.)
>>
>> (...)
>>
>>
>> Among "JavaScript global environment", "document environment",
>> "dedicated worker environment", "shared worker
>> environment", and "worker environment", where does CSP state live and
>> what loads get to influence it?  Maybe a table would be helpful.
>>
>>
>>
>> +1 to the idea of a table.
>>
>>
>>
>> While I haven't directly gotten that question, I could definitely see it
>> coming up, and I know I have had similar confused questions about same
>> origin that seem to be answered most clearly with a table.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>

Received on Friday, 6 June 2014 09:54:38 UTC