- From: Brad Hill <hillbrad@fb.com>
- Date: Tue, 18 Nov 2014 23:40:12 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I've started a document here comparing Chrome vs. Firefox behavior for sandboxing with workers. https://docs.google.com/document/d/1V3qYOkI2or_d59-t7E3nWMx48T3iDWoSzyYs1S1 K_fU/edit?usp=sharing Notable items: location.origin reports the origin even when inside an origin sandbox that tests as null elsewhere. Firefox supports the sandbox attribute of iframe, but not the sandbox CSP directive. Chrome is consistent in its handling of sandboxing whether applied from CSP or iframe. Firefox allows creation of Workers from data: urls, Chrome does not. Chrome does not support sub-Workers. (The Worker constructor is undefined in a worker environment) Firefox supports sub-Workers. Workers in Firefox cannot create sub-Workers form a blob: (no window.URL.createObjectURL method). But they can create sub- Workers from a data: url. Otherwise, they agree pretty well, except that Chrome reports the location.origin of a blob created with allow-same-origin as the origin of the creating page, or the string "://" if from a sandboxed origin, and Firefox always reports location.origin of a blob as "null". Still need to think about what behavior is most sensible to try to specify, but thought I'd share early results to spur discussion. -Brad
Received on Tuesday, 18 November 2014 23:40:36 UTC