Service workers and CSP

Given a worker A and its service worker SW the path to the network is:

  A -> SW -> network

Both A and SW can have a CSP policy.

If SW's fetch event is not handled the effective path to the network is:

  A -> network

An equivalent to that was going to be event.default() but that does
not work: https://github.com/slightlyoff/ServiceWorker/issues/607

This means that enabling SW makes A's CSP policy a lot less useful. I
think we already acknowledged this to some extent. I'm mostly sending
this to make sure I have not missed anything.

Note that the things we previously thought we could rely on have not changed:

* A synthetic Response object has no url so could be blocked by A
similar to eval et al.
* If a Response object has a url it is the one from the network.

The caveat here is that at the moment we do overwrite this url field
similar to how redirects are handled (step 6 of the main fetch
algorithm). If CSP cannot hook adequately around there we might need
to have an "original url" slot on Response objects or something like
that.


-- 
https://annevankesteren.nl/

Received on Tuesday, 27 January 2015 13:22:52 UTC