W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: Clarification of CSP sandbox and workers

From: Deian Stefan <deian@cs.stanford.edu>
Date: Wed, 12 Nov 2014 10:15:22 -0800
To: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: WebApps WG <public-webapps@w3.org>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
Message-ID: <87ppcsffph.fsf@cs.stanford.edu>

+1

Mike West <mkwst@google.com> writes:

> The CSP spec should just delegate to HTML here. If/when HTML defines
> sandboxing with regard to Workers, CSP will just start using those hooks.

Reasonable, the issue also appears outside CSP: if I create a worker in
a sandboxed iframe, what should its origin be? (Or should I not be able
to create a worker in this case?)
 
> I'd agree, for example, that it does appear that sandboxing a worker into a
> unique origin could be interesting. It's not clear to me whether any of the
> other flags would be useful, though.

Right, none of the other flags really make sense. (Though some of the
flags similarly don't make sense when the sandbox directive is applied
to a top-level page.) I do think it's reasonable to wait on the more
general sandboxed worker idea, since some of the proposals in WebAppSec
are thinking about this already.

Thanks,
Deian
Received on Wednesday, 12 November 2014 18:15:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC