I don't think the problem here is coming up with an architecture, but rather having time to implement it. I think many of the specs you mention would be a lot easier if we implemented the "Hooks for security policies" proposal from [1].
There's already work going on for implementing the "New API for creating channels", "Security Flags" and "Opening channels" sections of [1]. This should be enough to enable channels to know if they have a "tainted" response or not. But we would also need to rearchitecture all relevant callsites to actually look at that. I would imagine some already do, but not all of them. Referrer policies would require other solutions entirely. Anyhow, the short of it is that the missing piece here is having the time to make these changes. [1] https://etherpad.mozilla.org/BetterNeckoSecurityHooks / Jonas On Fri, Jul 17, 2015 at 8:20 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > In Whistler we discussed security concerns around service workers and > a lot of them stem from the fact that we don't have a good interface > in Gecko for Fetch[1]. Something that handles requests for all web > platform features we have and deals with CSP, HSTS, Referrer Policy, > redirects, service workers, CORS, Mixed Content, etc. for them. > > While we decided not do this refactoring before shipping service > workers, we should probably start planning, unless I'm missing > something. > > [1] https://fetch.spec.whatwg.org/ > > > -- > https://annevankesteren.nl/ > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
