New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove response check #493
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a reasonable approach. I'll wait to see the subsequent PRs before approving it, just to make sure I understand the integration points. Thanks!
|
||
Given a {{Document}} or <a for="/">global object</a> (|context|) and a <a for="/">policy</a> | ||
(|policy|): | ||
|
||
1. If |policy|'s <a for="policy">disposition</a> is not "`enforce`", or | ||
|context| is not a {{Document}}, then abort this algorithm. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this leaves WorkletGlobalScope
, which isn't handled below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right (although the algorithm would not do anything interesting for worklets). But I added an if.
Co-authored-by: Mike West <mike@mikewest.org>
Thanks @mikewest! The subsequent PRs are ready and linked: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Happy for you to merge this when you're ready.
Complements w3c/webappsec-csp#493. Response component of CSP is now managed at a higher level of abstraction.
This is a companion to w3c/webappsec-csp#493. That PR requires calling the check for blocking workers which try to enforce sandboxing via CSP directly from HTML.
This is a tentative PR to remove the CSP response check (checking the CSP of the response for a resource). This check is currently used only for blocking Workers which try to enforce sandboxing. I believe in general we do not want to consider CSP headers for a resource response, so this check is something we'd prefer not to have.
For keeping the previous behaviour for Workers, this change introduces an initialization step and check. I will upload companion PRs to enforce this check on html and ServiceWorker. I believe this check can also be reused in the future if we would like to actively do something with sandbox for Workers.
This change makes it possible to remove the response CSP list, see companion PR on fetch.
The downsides of this are that: