W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Workers inheriting CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 27 Nov 2011 12:50:40 -0800
Message-ID: <CAPfop_03e8_zB460yH8D9oUhLq0yk7yiTRBFvZ-T5SgpncZC6w@mail.gmail.com>
To: public-web-security@w3.org
Hi folks

The CSP draft currently doesn't mention anything about CSP being
inherited by workers. In particular, a worker's XMLHttpRequest should
be subject to the original document's connect-src (or default-src as
the case may be). Else, it is trivial to bypass connect-src.

-devdatta
Received on Sunday, 27 November 2011 20:51:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 27 November 2011 20:51:29 GMT