W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: CSP, Fetch, and Service Workers

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 26 Mar 2014 16:46:10 +0530
Message-ID: <CAPfop_3EBW3BtNBDHrTy46HJuvcqntCFPDVn20chAXNjuKstEg@mail.gmail.com>
To: Jake Archibald <jakearchibald@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, Alec Flett <alecflett@google.com>
Hi Jake

> CSP can't deal with the request before it hits SW, because this is also
> before redirects can occur, and CSP acts post-redirect.

great! It seems like this is enough to clarify the model and that's
all that is needed. Sure, some CSP directives don't make sense if you
have a SW replacing script loads, but that is what the application
opted into.

> Maybe we need a CSP rule for SW registrations. They're already limited to
> the same origin, but maybe you'd want to limit that further or disable it

Given the power of SWs, I would suggest a CSP rule to whitelist SW
registrations: so a page can only have an SW if it comes with a CSP
explicitly allowing such a SW.

Imagine you are security person in big-company-using-csp right now.
You are sleeping a good sleep after fighting out and implementing CSP.
And now, SW comes along and suddenly a developer can just register a
SW and break all the policies you had written down. The CSP header
(the one part you had ownership/visibility on) doesn't even see this
happen. We don't want this.

cheers
Dev
Received on Wednesday, 26 March 2014 11:16:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC