+1

Mike West <mk...@google.com> writes:

> The CSP spec should just delegate to HTML here. If/when HTML defines
> sandboxing with regard to Workers, CSP will just start using those hooks.

Reasonable, the issue also appears outside CSP: if I create a worker in
a sandboxed iframe, what should its origin be? (Or should I not be able
to create a worker in this case?)
 
> I'd agree, for example, that it does appear that sandboxing a worker into a
> unique origin could be interesting. It's not clear to me whether any of the
> other flags would be useful, though.

Right, none of the other flags really make sense. (Though some of the
flags similarly don't make sense when the sandbox directive is applied
to a top-level page.) I do think it's reasonable to wait on the more
general sandboxed worker idea, since some of the proposals in WebAppSec
are thinking about this already.

Thanks,
Deian

Reply via email to