W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Brad Hill <hillbrad@fb.com>
Date: Thu, 20 Nov 2014 19:45:37 +0000
To: Anne van Kesteren <annevk@annevk.nl>
CC: Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <D09383CC.1423%hillbrad@fb.com>
Here's the test matrix to play around with:


I'll wrap it up into web-platform-test format and put it on Github once I
figure out what the proper behaviors actually are.

Is there a way for a sandboxed resource to discover that its own effective
origin is 'null'?

More funniness discovered:

In Chrome when this test matrix is served over https, a resource sandboxed
by CSP can construct a blob and a URL for it, but a page sandboxed as an
iframe generates a Mixed Content error trying to do the same.

On 11/20/14, 1:55 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

>On Wed, Nov 19, 2014 at 11:59 PM, Brad Hill <hillbrad@fb.com> wrote:
>> document.origin is always undefined in both FF and Chrome.
>It's relatively new, and indeed not implemented yet :/

>> Also, event.origin

>> spatched_event)
>> is always an empty string for messages from Workers.  I guess it's
>> unnecessary on the assumption that channels to Workers are always
>> same-origin,
>> but seems like that might hurt if any kind of non-same-origin Workers
>> defined?



Received on Thursday, 20 November 2014 19:46:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC