some testing on workers and sandbox

I've started a document here comparing Chrome vs. Firefox behavior for
sandboxing with workers.


Notable items:

 location.origin reports the origin even when inside an origin
 sandbox that tests as null elsewhere.

 Firefox supports the sandbox attribute of iframe, but not the
 sandbox CSP directive.

 Chrome is consistent in its handling of sandboxing whether applied
 from CSP or iframe.

 Firefox allows creation of Workers from data: urls, Chrome does

 Chrome does not support sub-Workers.  (The Worker constructor is
 undefined in a worker environment)

 Firefox supports sub-Workers.

 Workers in Firefox cannot create sub-Workers form a blob: (no
 window.URL.createObjectURL method). But they can create sub-
 Workers from a data: url.

 Otherwise, they agree pretty well, except that Chrome reports the
 location.origin of a blob created with allow-same-origin as the
 origin of the creating page, or the string "://" if from a
 sandboxed origin, and Firefox always reports location.origin of a
 blob as "null".

Still need to think about what behavior is most sensible to try to
specify, but thought I'd share early results to spur discussion.


Received on Tuesday, 18 November 2014 23:40:36 UTC