- From: Mike West <mkwst@google.com>
- Date: Mon, 16 Feb 2015 21:09:33 +0100
- To: Deian Stefan <deian@cs.stanford.edu>, Alex Russell <slightlyoff@google.com>, Jake Archibald <jakearchibald@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Brian Smith <brian@briansmith.org>
Nope. But +Alex again, just in case he has opinions. Also +Jake. Hi, Jake! -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Mon, Feb 16, 2015 at 9:02 PM, Deian Stefan <deian@cs.stanford.edu> wrote: > > Great! > > Mike West <mkwst@google.com> writes: >> Because I don't understand why ServiceWorkers have introduced >> path-based granularity. As I noted in that thread (and as Brian >> agreed), the origin makes sense as a security boundary. Pretending >> that such a boundary exists for paths seems problematic. > > I suppose the one case where the path-based approach helps is the > university scenario, where e.g. stanford.edu/~evil sets an > overly-restricting CSP that ends up breaking *.stanford.edu. The right > thing here is for the admin to disallow setting such headers, but I can > see that becoming a problem. (But, I guess ~evil can already mess with > cookies, etc.) > > In any case, I agree with sticking to the origin as the security > boundary, I was more curious to see if you got any info from Alex or > others on the path stuff off-list. > > Deian
Received on Monday, 16 February 2015 20:10:22 UTC