Adds WorkletGlobalScope as a concept to CSP. #205
Conversation
This allows worklets to properly initialize their CSP list for each global scope they have. Fixes w3c#204.
index.src.html
Outdated
| @@ -1166,7 +1166,8 @@ <h4 id="initialize-global-object-csp" algorithm> | |||
| therefore alias the <a>embedding document</a>'s policies for <a>an iframe | |||
| `srcdoc` `Document`</a>. | |||
|
|
|||
| 2. If |global| is a {{SharedWorkerGlobalScope}} or {{ServiceWorkerGlobalScope}}: | |||
| 2. If |global| is a {{SharedWorkerGlobalScope}}, {{ServiceWorkerGlobalScope}}, or | |||
| and restricted behaviors, and may be applied to a {{Window}} or {{WorkerGlobalScope}} as described | ||
| in [[#initialize-global-object-csp]]. | ||
| and restricted behaviors, and may be applied to a {{Window}}, {{WorkerGlobalScope}, or | ||
| {{WorkletGlobalScope}} as described in [[#initialize-global-object-csp]]. |
There was a problem hiding this comment.
You'll need to hook into https://w3c.github.io/webappsec-csp/#initialize-global-object-csp somewhere so that it's called when the Worklet is initialized. And you'll probably need to alter that algorithm as well to inherit the document's policy into the worklet (assuming that's what you need).
There was a problem hiding this comment.
I don't think any worklet can currently fetch resources, so that's probably not needed. Although maybe it's nice for unsafe-inline so eval() can be made to throw?
There was a problem hiding this comment.
I created w3c/css-houdini-drafts#467 which does this. And modified the algorithm below which copies the owner document's policy.
index.src.html
Outdated
| spec: WORKLETS-1; urlPrefix: https://drafts.css-houdini.org/worklets/ | ||
| type: dfn | ||
| for: WorkletGlobalScope | ||
| text: owner document; url: workletglobalscope-owner-document |
There was a problem hiding this comment.
Is this document not included in Shepherd? Ideally, we wouldn't need to hard-code the definition here. If the worklets document isn't in Shepherd yet, would you mind asking Tab to add it? :)
|
Given that we already waited since April we might as well wait for another couple of days and get that fixed... |
|
I just added that so that "owner document" would link as its in a pending PR: w3c/css-houdini-drafts#467 I'll push the other PR first, and remove the reference. |
|
Pushed the other commit, and now links fine. |
|
I was going to merge this, but I guess @mikewest should first run make or some such as there's no automatic building for this repository. |
|
@mikewest Is there anything else that needs to be done here? I can run bikeshed locally and update the index.html if you like? |
|
Merged; I'll rebuild the doc in a separate patch. And I guess look into how various other specs do the build thing. I'm sure it must be trivially automated everywhere by now. :) |
* 'master' of https://github.com/w3c/webappsec-csp: (209 commits) Fix a few typos (w3c#280) Introduce 'prefetch-src'. (w3c#283) Clarify navigation behavior for 'script-src'. Incorrect indentation of the navigation check algorithm. IDL amendments and small misc issues. (w3c#271) Regenerate HTMLs. Origin link. NoncedElement link. link up inline css issue (w3c#228) Replaced 'alias' with 'copy' for less ambiguity (w3c#273) Cleanup `global object` usage to make sense with `Documents` (w3c#254) Elements with duplicated attributes are not nonceable. s/not-example.com/example.org/ Linked testing policy and fixed a few links (w3c#263) Rebuild HTML. Fix linking errors to 'script-like' and 'applet'. Adds WorkletGlobalScope as a concept to CSP. (w3c#205) Slight correction of host matching description (w3c#251) Fixed ambigous grammar (w3c#250) Replace Request.type based logic with Request.destination (w3c#231) ...
This allows worklets to properly initialize their CSP list for each
global scope they have.
Fixes #204.
Preview | Diff