Re: Clarification of CSP sandbox and workers

2014-11-12 Thread Anne van Kesteren
On Thu, Nov 6, 2014 at 5:10 AM, Deian Stefan de...@cs.stanford.edu wrote: I am implementing CSP for Workers in Firefox, but like to get a clarification on workers and the sandbox flag. Currently, a Worker can inherit or be accompanied by a CSP header. As written, the implications of the

Re: Clarification of CSP sandbox and workers

2014-11-12 Thread Mike West
The CSP spec should just delegate to HTML here. If/when HTML defines sandboxing with regard to Workers, CSP will just start using those hooks. I'd agree, for example, that it does appear that sandboxing a worker into a unique origin could be interesting. It's not clear to me whether any of the

Re: Clarification of CSP sandbox and workers

2014-11-12 Thread Deian Stefan
+1 Mike West mk...@google.com writes: The CSP spec should just delegate to HTML here. If/when HTML defines sandboxing with regard to Workers, CSP will just start using those hooks. Reasonable, the issue also appears outside CSP: if I create a worker in a sandboxed iframe, what should its

Re: Clarification of CSP sandbox and workers

2014-11-12 Thread Ian Hickson
On Wed, 12 Nov 2014, Mike West wrote: The CSP spec should just delegate to HTML here. If/when HTML defines sandboxing with regard to Workers, CSP will just start using those hooks. I'd agree, for example, that it does appear that sandboxing a worker into a unique origin could be