search

w3c / webappsec

Web Application Security Working Group repo
https://www.w3.org/groups/wg/webappsec/
Other
606 stars 148 forks source link

[CSP] Enforcing CSP for Service Workers #350

Open jungkees opened 9 years ago

jungkees commented 9 years ago

I think CSP needs a hook for service workers to enforce a CSP policy. As I understood, adding Run Service Worker in section 5.1. Workers of CSP spec would work in general. I.e. "Whenever a user agent runs a worker or Run Service Worker:" Could you add this? Or any better suggestion?

Related SW issue: https://github.com/slightlyoff/ServiceWorker/issues/378

jonathanKingston commented 8 years ago

@mikewest this seems fully resolved in level 3 of the specification.

As mentioned in related SW issue there is a confusing mention in the specification for the ED level 2: https://w3c.github.io/webappsec-csp/2/#child_src

"URL while processing the Worker or SharedWorker constructors"

Can ServiceWorker be added to this sentence also or there is an implication of backdating that to level 2?

mikewest commented 8 years ago
  1. PRs accepted!
  2. @wseltzer and @hillbrad can comment on the sanity of backporting this to CSP2. It seems small and consistent with browser's implementations, but, you know. Process.