- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 26 Mar 2014 16:46:10 +0530
- To: Jake Archibald <jakearchibald@google.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, Alec Flett <alecflett@google.com>
Hi Jake > CSP can't deal with the request before it hits SW, because this is also > before redirects can occur, and CSP acts post-redirect. great! It seems like this is enough to clarify the model and that's all that is needed. Sure, some CSP directives don't make sense if you have a SW replacing script loads, but that is what the application opted into. > Maybe we need a CSP rule for SW registrations. They're already limited to > the same origin, but maybe you'd want to limit that further or disable it Given the power of SWs, I would suggest a CSP rule to whitelist SW registrations: so a page can only have an SW if it comes with a CSP explicitly allowing such a SW. Imagine you are security person in big-company-using-csp right now. You are sleeping a good sleep after fighting out and implementing CSP. And now, SW comes along and suddenly a developer can just register a SW and break all the policies you had written down. The CSP header (the one part you had ownership/visibility on) doesn't even see this happen. We don't want this. cheers Dev
Received on Wednesday, 26 March 2014 11:16:59 UTC