-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nonce attribute for Web Worker #15
Comments
I don't really follow what you're trying to do. Can you help me understand with some sample code? |
From @Nadoedalo on September 2, 2015 13:6 I have following CSP header What I'm trying to do - run any eval-code in sandbox so it can't get or transphere data. And even if the result of template will be It is clear that csp-header should be applied to Web Worker with it's own policy, but it isn't anywhere exept of Chrome, and when the policy is voilated - Firefox, for exmaple, refers to original policy for the whole window. So I thought that there can be anouther way - with nonce attribute. You can actually allow one script to do whatever it wants, so it can be applied to worker in order to allow unsafe-eval only there. the whole code example : /*sandbox.js file*/
(function(self){
self.addEventListener('message', function(e){
var data = JSON.parse(e.data),
template = _.template(data.template)(data.data);
self.postMessage({
template : template
});
});
self.importScripts('http://underscorejs.org/underscore-min.js');
return self;
}(self));
/*templace-call function*/
function secureTemplate(template, data){
var promise = new Promise(function(resolve, reject){
worker = window._webWorker || new window.Worker('sandbox.js');
function workerListener(e){
resolve(e.data.template);
worker.removeEventListener('message', workerListener.bind(this));
}
window._webWorker = worker;
worker.addEventListener('message', workerListener.bind(this));
worker.postMessage(JSON.stringify({
template : template,
data : data
}));
});
return promise;
}
/*call*/
secureTemplate('<%=name%>', {name : 'Nadoedalo'}).then(function(html){
console.log(html);
}) so if name had But maybe functional separate policy for Web Worker is just fine, the thing is it is not supported yet. |
After waffling a bit, we've specified the worker model such that the worker inherits the policy from the page that instantiates it. I think this is taken care of today. Hopefully that deals with your use-case. |
From @Nadoedalo on September 2, 2015 11:52
Seems that there is no way to set nonce attribute for a Web Worker in order to allow sandbox to do whatever it wants. Maybe there must be a way to set nonce-attribute in header or/and in script string/attribute?
I'm trying to run every unsafe-code in web worker's sandbox but only Chrome understands separate policy for the worker. And because of that I need to run 'unsafe-eval' policy just because I'm using template engine, and that can cause issues and not really offering me a protection.
Here are some links :
Firefox bug tracker
Stackoverflow question
Copied from original issue: w3c/webappsec#464
The text was updated successfully, but these errors were encountered: