Re: some testing on workers and sandbox from Brad Hill on 2014-11-20 (public-webappsec@w3.org from November 2014)

From: Brad Hill <hillbrad@fb.com>
Date: Thu, 20 Nov 2014 19:45:37 +0000
To: Anne van Kesteren <annevk@annevk.nl>
CC: Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <D09383CC.1423%hillbrad@fb.com>

Here's the test matrix to play around with:

https://webappsec-test.info/~bhill2/sandbox/matrix.html



I'll wrap it up into web-platform-test format and put it on Github once I
figure out what the proper behaviors actually are.

Is there a way for a sandboxed resource to discover that its own effective
origin is 'null'?

More funniness discovered:

In Chrome when this test matrix is served over https, a resource sandboxed
by CSP can construct a blob and a URL for it, but a page sandboxed as an
iframe generates a Mixed Content error trying to do the same.



On 11/20/14, 1:55 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

>On Wed, Nov 19, 2014 at 11:59 PM, Brad Hill <hillbrad@fb.com> wrote:
>> document.origin is always undefined in both FF and Chrome.
>
>It's relatively new, and indeed not implemented yet :/
>
>https://urldefense.proofpoint.com/v1/url?u=https://bugzilla.mozilla.org/sh

>ow_bug.cgi?id%3D931884&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8
>%2BWBMXZg%3D%3D%0A&m=%2BOiL4zyrs9EwItFJMoS%2FkkMPVZ%2BEb%2Fuf4fPIXJxLsZM%3
>D%0A&s=4cb03b7f9f78e27a3f076f7a9d99ff08647ef79f833b9e6f53aba5d5a9274775
>
>
>> Also, event.origin
>> 
>>(https://urldefense.proofpoint.com/v1/url?u=https://developer.mozilla.org

>>/en-US/docs/Web/API/Window.postMessage%23The_di&k=ZVNjlDMF0FElm4dQtryO4A%
>>3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=%2BOiL4zyrs9EwItFJMoS%2Fkk
>>MPVZ%2BEb%2Fuf4fPIXJxLsZM%3D%0A&s=5d966f9e487972f5a838d15b162f86e38e59605
>>14a8bf17b802d19a49a7b33a1
>> spatched_event)
>> is always an empty string for messages from Workers.  I guess it's
>> unnecessary on the assumption that channels to Workers are always
>> same-origin,
>> but seems like that might hurt if any kind of non-same-origin Workers
>>are
>> defined?
>
>Filed 
>https://urldefense.proofpoint.com/v1/url?u=https://www.w3.org/Bugs/Public/

>show_bug.cgi?id%3D27377&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko
>8%2BWBMXZg%3D%3D%0A&m=%2BOiL4zyrs9EwItFJMoS%2FkkMPVZ%2BEb%2Fuf4fPIXJxLsZM%
>3D%0A&s=405c7a78cd8b87f8c3d620017826ee6bb0d2854322ec21f8aaf35cac67d50fc4
>
>
>-- 
>https://urldefense.proofpoint.com/v1/url?u=https://annevankesteren.nl/&k=Z

>VNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=%2BOi
>L4zyrs9EwItFJMoS%2FkkMPVZ%2BEb%2Fuf4fPIXJxLsZM%3D%0A&s=d2239d34928d38c72dd
>d9c5a0cc0b9533d272f11ffde268c45ae492fb636981b

Received on Thursday, 20 November 2014 19:46:08 UTC