W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

some testing on workers and sandbox

From: Brad Hill <hillbrad@fb.com>
Date: Tue, 18 Nov 2014 23:40:12 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D09118DB.12DB%hillbrad@fb.com>
I've started a document here comparing Chrome vs. Firefox behavior for
sandboxing with workers.

https://docs.google.com/document/d/1V3qYOkI2or_d59-t7E3nWMx48T3iDWoSzyYs1S1

K_fU/edit?usp=sharing

Notable items:

	location.origin reports the origin even when inside an origin
	sandbox that tests as null elsewhere.

	Firefox supports the sandbox attribute of iframe, but not the
	sandbox CSP directive.

	Chrome is consistent in its handling of sandboxing whether applied
	from CSP or iframe.

	Firefox allows creation of Workers from data: urls, Chrome does
	not.

	Chrome does not support sub-Workers.  (The Worker constructor is
	undefined in a worker environment)

	Firefox supports sub-Workers.

	Workers in Firefox cannot create sub-Workers form a blob: (no
	window.URL.createObjectURL method). But they can create sub-
	Workers from a data: url.

	Otherwise, they agree pretty well, except that Chrome reports the
	location.origin of a blob created with allow-same-origin as the
	origin of the creating page, or the string "://" if from a
	sandboxed origin, and Firefox always reports location.origin of a
	blob as "null".


Still need to think about what behavior is most sensible to try to
specify, but thought I'd share early results to spur discussion.

-Brad

Received on Tuesday, 18 November 2014 23:40:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC