W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Brad Hill <hillbrad@fb.com>
Date: Wed, 19 Nov 2014 00:29:51 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D091245F.12DF%hillbrad@fb.com>
Added IE 11 behavior for iframe sandbox.  Even more fun inconsistencies

On 11/18/14, 3:40 PM, "Brad Hill" <hillbrad@fb.com> wrote:

>I've started a document here comparing Chrome vs. Firefox behavior for
>sandboxing with workers.

>Notable items:
>	location.origin reports the origin even when inside an origin
>	sandbox that tests as null elsewhere.
>	Firefox supports the sandbox attribute of iframe, but not the
>	sandbox CSP directive.
>	Chrome is consistent in its handling of sandboxing whether applied
>	from CSP or iframe.
>	Firefox allows creation of Workers from data: urls, Chrome does
>	not.
>	Chrome does not support sub-Workers.  (The Worker constructor is
>	undefined in a worker environment)
>	Firefox supports sub-Workers.
>	Workers in Firefox cannot create sub-Workers form a blob: (no
>	window.URL.createObjectURL method). But they can create sub-
>	Workers from a data: url.
>	Otherwise, they agree pretty well, except that Chrome reports the
>	location.origin of a blob created with allow-same-origin as the
>	origin of the creating page, or the string "://" if from a
>	sandboxed origin, and Firefox always reports location.origin of a
>	blob as "null".
>Still need to think about what behavior is most sensible to try to
>specify, but thought I'd share early results to spur discussion.

Received on Wednesday, 19 November 2014 00:30:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC