- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Wed, 12 Nov 2014 10:15:22 -0800
- To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
- Cc: WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
+1 Mike West <mkwst@google.com> writes: > The CSP spec should just delegate to HTML here. If/when HTML defines > sandboxing with regard to Workers, CSP will just start using those hooks. Reasonable, the issue also appears outside CSP: if I create a worker in a sandboxed iframe, what should its origin be? (Or should I not be able to create a worker in this case?) > I'd agree, for example, that it does appear that sandboxing a worker into a > unique origin could be interesting. It's not clear to me whether any of the > other flags would be useful, though. Right, none of the other flags really make sense. (Though some of the flags similarly don't make sense when the sandbox directive is applied to a top-level page.) I do think it's reasonable to wait on the more general sandboxed worker idea, since some of the proposals in WebAppSec are thinking about this already. Thanks, Deian
Received on Wednesday, 12 November 2014 18:15:48 UTC