Intent to Implement and Ship: Fire 'SecurityPolicyViolation' events for Workers.

39 views
Skip to first unread message

Mike West

unread,
Nov 15, 2016, 4:05:43 AM11/15/16
to blink-dev
# Contact Emails

# Spec
https://w3c.github.io/webappsec-csp/#violation-events

# Summary
Currently, we fire a 'SecurityPolicyViolation' event against a document when its content security policy is violated. We ought to do the same for dedicated/shared/service workers.

# Motivation
About 4 years ago, I added a 'FIXME' comment to WebKit noting that we should probably respond to CSP violations by firing 'SecurityPolicyViolation' events inside Workers, and not just inside Documents. *cough* I'd like to get back to that now that we're migrating most of our CSP tests to `testharness.js`; writing assertions against relevant events is a hundred times easier than working around their absence.

# Interop Risk
Low. Mozilla plans to implement the event (and since I keep bugging them about it, I kinda want to make sure our implementation actually works :) ), it should be a small change for WebKit as well.

Indeed, this should _lower_ the interop risk, as it makes it simpler to write Worker-based `testharness.js` tests.

# Compat Risk
Low. Existing sites will ignore the event, as they won't be listening for it.

# Technical Constraints
None.

# All Blink Platforms?
Yes.

# OWP Bug
# Chromestatus
https://www.chromestatus.com/feature/5679844478156800

# Requesting approval to ship?
Yes. This is a fairly small change, as it rests on top of all the other CSP infrastructure we already have.

# Web Platform Tests
I plan to port/upstream the tests from https://codereview.chromium.org/2480303002 once we land them. It's not totally trivial, as they need substitution, but pretty straightforward.


-mike

Philip Jägenstedt

unread,
Nov 16, 2016, 4:28:59 AM11/16/16
to Mike West, blink-dev
LGTM1

Pedantic nit: It's SecurityPolicyViolationEvent, but 'securitypolicyviolation'. Event types are case sensitive and all the non-lowercase ones are DOM*, like 'DOMContentLoaded'.

Rick Byers

unread,
Nov 17, 2016, 10:55:05 AM11/17/16
to Philip Jägenstedt, Mike West, blink-dev
LGTM2

Chris Harrelson

unread,
Nov 17, 2016, 12:33:04 PM11/17/16
to Rick Byers, Philip Jägenstedt, Mike West, blink-dev
LGTM3

LGTM2
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Reply all
Reply to author
Forward
0 new messages