W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: CSP, Fetch, and Service Workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 27 Mar 2014 15:30:34 +0000
Message-ID: <CADnb78gqj1OcyMHwafVYTpbL1ea7HN0pJZda8ikW57tVbZgYyA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, Jake Archibald <jakearchibald@google.com>, WebAppSec WG <public-webappsec@w3.org>, Alec Flett <alecflett@google.com>
On Thu, Mar 27, 2014 at 3:55 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> I was hoping for something stronger: the absence of child-src would
> not allow a SW. Or heck, even require an explicit "sw-src" or
> something.
> But, this would go against the grain of the remaining CSP directives
> so your suggestion makes sense.

Requiring CSP for a new orthogonal feature is too high a bar. I
sympathize with the purported security benefits, but we also need
people to be able to play with technology in a relatively
straightforward manner.

Received on Thursday, 27 March 2014 15:31:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC