html icon indicating copy to clipboard operation
html copied to clipboard
verified publisher icon whatwg

Iframe `sandbox` compatibility with Service Workers

Open BlobTheKat opened this issue 1 year ago • 0 comments

What problem are you trying to solve?

See https://github.com/w3c/ServiceWorker/issues/1727 The concept of sandboxed iframes is fundamentally incompatible by design with Service Workers.

What solutions exist today?

None

How would you solve it?

The proposal attempts to bridge the incompatibility by adding an inherit-controller value for the sandbox attribute. This value will allow the parent context to transparently control the sandboxed iframe in these specific ways:

  • Requests made by the iframe's document will be forwarded to the parent's service worker
  • The iframe will be accessible from the parent's clients interface within the service worker

Note that this control is transparent, which implies that navigator.serviceWorker will still not be available from the iframe

Anything else?

This proposal does not imply a security risk as a sandboxed iframe of any origin will not share credentials with that origin unless it has the allow-same-origin value. As such, inherit-controller and allow-same-origin cannot be used together (allow-same-origin should take precedence).

BlobTheKat avatar Aug 28 '24 16:08 BlobTheKat