W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Tue, 18 Nov 2014 20:30:51 -0500
Message-ID: <546BF2CB.5050907@mit.edu>
To: public-webappsec@w3.org
On 11/18/14, 6:40 PM, Brad Hill wrote:
> 	location.origin reports the origin even when inside an origin
> 	sandbox that tests as null elsewhere.

That's because location.origin seems to be defined as the origin of the 
location URL, not the origin of the document...  This can be an issue in 
other situations too; for the simplest example, consider this testcase:

     alert("Origin: '" + frames[0].location.origin + "'");

Live version at <http://jsfiddle.net/5kLqceqs/>.  The subframe location 
is about:blank, so location.origin is "null", but the document origin is 
an alias of the parent document origin,

> 	Firefox supports the sandbox attribute of iframe, but not the
> 	sandbox CSP directive.

Indeed.  https://bugzilla.mozilla.org/show_bug.cgi?id=671389

> 	Workers in Firefox cannot create sub-Workers form a blob: (no
> 	window.URL.createObjectURL method).

Well, no "window".  But self.URL.createObjectURL or just 
URL.createObjectURL should work in Firefox 21 and newer.  And seems to 
work fine for starting a sub-Worker too.  See 

> 	Otherwise, they agree pretty well, except that Chrome reports the
> 	location.origin of a blob created with allow-same-origin as the
> 	origin of the creating page, or the string "://" if from a
> 	sandboxed origin, and Firefox always reports location.origin of a
> 	blob as "null".

Hmm.  There were some recent spec changes in this area; I don't recall 
what the right behavior here is nowadays.  It's possible that one or 
both are buggy (e.g. I doubt "://" is ever a valid origin).

Received on Wednesday, 19 November 2014 01:31:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC