Remove response check #493
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced May 5, 2021
mikewest
reviewed
May 5, 2021
|
|
||
| Given a {{Document}} or <a for="/">global object</a> (|context|) and a <a for="/">policy</a> | ||
| (|policy|): | ||
|
|
||
| 1. If |policy|'s <a for="policy">disposition</a> is not "`enforce`", or | ||
| |context| is not a {{Document}}, then abort this algorithm. |
There was a problem hiding this comment.
I think this leaves WorkletGlobalScope, which isn't handled below.
There was a problem hiding this comment.
Right (although the algorithm would not do anything interesting for worklets). But I added an if.
Co-authored-by: Mike West <mike@mikewest.org>
|
Thanks @mikewest! The subsequent PRs are ready and linked: |
mikewest
approved these changes
May 10, 2021
annevk
pushed a commit
to whatwg/fetch
that referenced
this pull request
May 10, 2021
Complements w3c/webappsec-csp#493. Response component of CSP is now managed at a higher level of abstraction.
domenic
pushed a commit
to whatwg/html
that referenced
this pull request
May 11, 2021
This is a companion to w3c/webappsec-csp#493. That PR requires calling the check for blocking workers which try to enforce sandboxing via CSP directly from HTML.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a tentative PR to remove the CSP response check (checking the CSP of the response for a resource). This check is currently used only for blocking Workers which try to enforce sandboxing. I believe in general we do not want to consider CSP headers for a resource response, so this check is something we'd prefer not to have.
For keeping the previous behaviour for Workers, this change introduces an initialization step and check. I will upload companion PRs to enforce this check on html and ServiceWorker. I believe this check can also be reused in the future if we would like to actively do something with sandbox for Workers.
This change makes it possible to remove the response CSP list, see companion PR on fetch.
The downsides of this are that: