W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Service workers and CSP

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 27 Jan 2015 14:57:13 +0100
Message-ID: <CADnb78iCGGstyTrUOOeEBZ9rJOzN1Ln7Ovwq2gb8u7Lqz9H39Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Jake Archibald <jaffathecake@gmail.com>, Alex Russell <slightlyoff@google.com>, Jungkee Song <jungkees@gmail.com>
On Tue, Jan 27, 2015 at 2:38 PM, Mike West <mkwst@google.com> wrote:
> 2. I think our vague plan was to check outgoing requests as well as incoming
> responses, similar to what we've ended up with for MIX. That is, we would
> attempt to prevent the SW from giving us something for a particular request
> that wouldn't have been allowed as an outgoing request.

Agreed, that is part of the reason why Response objects keep track of
the network url (or lack thereof for synthetic responses).

> I don't really understand the issue with `event.default()`. Why does that
> passthrough mechanism not work?

I think the biggest problem is that the Response objects end up being
exposed to SW (and script) and therefore breaks expected CSP
invariants about request contexts.

I think the biggest drawback is that Referer ends up being the SW all the time.

The preserving the "final url" feature from default() we are turning
into a primitive as discussed in that issue thread. I think we might
want to do the same with Referer. (Effectively allowing it to be set
to any same-origin URL.)

Received on Tuesday, 27 January 2015 13:57:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:45 UTC