W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: CSP, Fetch, and Service Workers

From: Jake Archibald <jakearchibald@google.com>
Date: Wed, 26 Mar 2014 12:03:42 +0000
Message-ID: <CAPy=JopTb_bMb-v1EVkcS7L4wecHS3+qdJ-=ivGxUp8jAOZBqw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, Alec Flett <alecflett@google.com>
On Wed, Mar 26, 2014 at 11:16 AM, Devdatta Akhawe <dev.akhawe@gmail.com>wrote:
>
> > Maybe we need a CSP rule for SW registrations. They're already limited to
> > the same origin, but maybe you'd want to limit that further or disable it
>
> Given the power of SWs, I would suggest a CSP rule to whitelist SW
> registrations: so a page can only have an SW if it comes with a CSP
> explicitly allowing such a SW.
>

Requiring a specific content-type for appcache manifests was so much of a
problem it was dropped from the spec. Static servers such as github & s3
weren't ready in time, a lot of frontend developers don't know how to do it
on their local dev servers. Requiring header modification for SW to work
would hurt adoption badly. Those static servers are already isolated by
origin, so you can only shoot yourself in the foot.

In the "big-company-using-csp" case where developers can deploy sites but
cannot modify headers of any url on the origin, is that common?
Received on Wednesday, 26 March 2014 12:04:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC