Iframe sandbox compatibility with Service Workers

[BlobTheKat]

What problem are you trying to solve?

See w3c/ServiceWorker#1727
The concept of sandboxed iframes is fundamentally incompatible by design with Service Workers.

What solutions exist today?

None

How would you solve it?

The proposal attempts to bridge the incompatibility by adding an inherit-controller value for the sandbox attribute. This value will allow the parent context to transparently control the sandboxed iframe in these specific ways:

• Requests made by the iframe's document will be forwarded to the parent's service worker
• The iframe will be accessible from the parent's clients interface within the service worker

Note that this control is transparent, which implies that navigator.serviceWorker will still not be available from the iframe

Anything else?

This proposal does not imply a security risk as a sandboxed iframe of any origin will not share credentials with that origin unless it has the allow-same-origin value. As such, inherit-controller and allow-same-origin cannot be used together (allow-same-origin should take precedence).