Throw a SecurityError when navigator.serviceWorker is accessed in a sandboxed iframe.
BUG=486308
TEST=./blink/tools/run_layout_tests.sh http/tests/serviceworker/chromium/sandboxed-iframe-navigator-serviceworker.html
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=197711
4 years, 10 months ago
(2015-06-23 07:59:59 UTC)
#4
nhiroki@
Could you please review this?
nhiroki
> Throw a SecurityError when navigator.serviceWorker is accessed in a sandboxed iframe. Question) I couldn't ...
4 years, 10 months ago
(2015-06-23 08:28:14 UTC)
#5
> Throw a SecurityError when navigator.serviceWorker is accessed in a sandboxed
iframe.
Question) I couldn't find a consensus about this behavior in chromium/spec
issues. Where is this defined?
horo
On 2015/06/23 08:28:14, nhiroki wrote: > > Throw a SecurityError when navigator.serviceWorker is accessed in ...
4 years, 10 months ago
(2015-06-23 10:05:49 UTC)
#6
On 2015/06/23 08:28:14, nhiroki wrote:
> > Throw a SecurityError when navigator.serviceWorker is accessed in a
sandboxed
> iframe.
>
> Question) I couldn't find a consensus about this behavior in chromium/spec
> issues. Where is this defined?
There is no clarified definition about this behavior yet.
But there seems to be a consensus that "Sandboxed iframes without
allow-same-origin shouldn't be intercepted".
I think we should not wait for the spec to be settled and keep this security
bypasses bug.
And it is reasonable to make the same behavior as "window.caches" does.
nhiroki
On 2015/06/23 10:05:49, horo wrote: > On 2015/06/23 08:28:14, nhiroki wrote: > > > Throw ...
4 years, 10 months ago
(2015-06-24 02:47:11 UTC)
#7
On 2015/06/23 10:05:49, horo wrote:
> On 2015/06/23 08:28:14, nhiroki wrote:
> > > Throw a SecurityError when navigator.serviceWorker is accessed in a
> sandboxed
> > iframe.
> >
> > Question) I couldn't find a consensus about this behavior in chromium/spec
> > issues. Where is this defined?
>
> There is no clarified definition about this behavior yet.
> But there seems to be a consensus that "Sandboxed iframes without
> allow-same-origin shouldn't be intercepted".
> I think we should not wait for the spec to be settled and keep this security
> bypasses bug.
> And it is reasonable to make the same behavior as "window.caches" does.
Sounds reasonable. Thank you for the explanation.
https://codereview.chromium.org/1199183002/diff/60001/Source/modules/serviceworkers/NavigatorServiceWorker.cpp File Source/modules/serviceworkers/NavigatorServiceWorker.cpp (right): https://codereview.chromium.org/1199183002/diff/60001/Source/modules/serviceworkers/NavigatorServiceWorker.cpp#newcode69 Source/modules/serviceworkers/NavigatorServiceWorker.cpp:69: exceptionState.throwSecurityError("Access to service worker is denied."); Can we make ...
4 years, 10 months ago
(2015-06-24 04:40:44 UTC)
#12
Sorry, one more nit. Can you add TEST= line in the CL description?
4 years, 10 months ago
(2015-06-24 04:46:38 UTC)
#13
Sorry, one more nit. Can you add TEST= line in the CL description?
horo
https://codereview.chromium.org/1199183002/diff/60001/Source/modules/serviceworkers/NavigatorServiceWorker.cpp File Source/modules/serviceworkers/NavigatorServiceWorker.cpp (right): https://codereview.chromium.org/1199183002/diff/60001/Source/modules/serviceworkers/NavigatorServiceWorker.cpp#newcode69 Source/modules/serviceworkers/NavigatorServiceWorker.cpp:69: exceptionState.throwSecurityError("Access to service worker is denied."); On 2015/06/24 04:40:44, ...
4 years, 10 months ago
(2015-06-24 05:58:31 UTC)
#14
Issue 1199183002: Throw a SecurityError when navigator.serviceWorker is accessed in a sandboxed iframe.
(Closed)
Created 4 years, 10 months ago by horo
Modified 4 years, 10 months ago
Reviewers: nhiroki, falken, tkent
Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Comments: 10
Chromium Code Reviews
