W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Brad Hill <hillbrad@fb.com>
Date: Wed, 19 Nov 2014 00:29:51 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D091245F.12DF%hillbrad@fb.com>
Added IE 11 behavior for iframe sandbox.  Even more fun inconsistencies
now.

On 11/18/14, 3:40 PM, "Brad Hill" <hillbrad@fb.com> wrote:

>I've started a document here comparing Chrome vs. Firefox behavior for
>sandboxing with workers.
>
>https://docs.google.com/document/d/1V3qYOkI2or_d59-t7E3nWMx48T3iDWoSzyYs1S

>1
>K_fU/edit?usp=sharing
>
>Notable items:
>
>	location.origin reports the origin even when inside an origin
>	sandbox that tests as null elsewhere.
>
>	Firefox supports the sandbox attribute of iframe, but not the
>	sandbox CSP directive.
>
>	Chrome is consistent in its handling of sandboxing whether applied
>	from CSP or iframe.
>
>	Firefox allows creation of Workers from data: urls, Chrome does
>	not.
>
>	Chrome does not support sub-Workers.  (The Worker constructor is
>	undefined in a worker environment)
>
>	Firefox supports sub-Workers.
>
>	Workers in Firefox cannot create sub-Workers form a blob: (no
>	window.URL.createObjectURL method). But they can create sub-
>	Workers from a data: url.
>
>	Otherwise, they agree pretty well, except that Chrome reports the
>	location.origin of a blob created with allow-same-origin as the
>	origin of the creating page, or the string "://" if from a
>	sandboxed origin, and Firefox always reports location.origin of a
>	blob as "null".
>
>
>Still need to think about what behavior is most sensible to try to
>specify, but thought I'd share early results to spur discussion.
>
>-Brad
>

Received on Wednesday, 19 November 2014 00:30:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC