Re: Clarification of CSP sandbox and workers from Mike West on 2014-11-12 (public-webappsec@w3.org from November 2014)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Nov 2014 15:42:52 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Deian Stefan <deian@cs.stanford.edu>, WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
Message-ID: <CAKXHy=f5bX0HwMSZJUzCQ53u-srz82A3O75Sz7m9DhB+A3NApw@mail.gmail.com>

The CSP spec should just delegate to HTML here. If/when HTML defines
sandboxing with regard to Workers, CSP will just start using those hooks.

I'd agree, for example, that it does appear that sandboxing a worker into a
unique origin could be interesting. It's not clear to me whether any of the
other flags would be useful, though.

Ian, WDYT?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Wed, Nov 12, 2014 at 9:45 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Nov 6, 2014 at 5:10 AM, Deian Stefan <deian@cs.stanford.edu>
> wrote:
> > I am implementing CSP for Workers in Firefox, but like to get a
> > clarification on workers and the sandbox flag. Currently, a Worker can
> > inherit or be accompanied by a CSP header. As written, the implications
> > of the sandbox directive on the Worker context is not clear.
> >
> > [Following up on https://github.com/w3c/webappsec/issues/69]
> >
> > Arguably most of the sandbox flags don't make sense for Workers, but the
> > empty directive (i.e., just sandbox) and sandbox allow-same-origin can
> > have reasonable semantics.  So, if a Worker inherits the CSP from the
> > owner document (or parent worker in later specs) or is accompanied by a
> > CSP header which has the 'sandbox' directive, should the worker script's
> > origin be set to a unique origin?  Or should we just ignore (and
> > appropriately warn about) the sandbox flag for Workers and address the
> > need for sandboxed Workers separately?
>
> This would affect what a worker can fetch, what storage it has access
> to, and which permissions it has (e.g. can it display a notification).
> Might be an interesting way to run untrusted code.
>
> But if we are going to do something like this Ian would have to define
> how the sandbox directives affect a worker environment.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Wednesday, 12 November 2014 14:43:41 UTC