W3C home > Mailing lists > Public > public-web-security@w3.org > November 2011

Re: Workers inheriting CSP

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 29 Nov 2011 08:49:17 -0800
Message-ID: <4ED50D0D.8040907@mozilla.com>
To: public-web-security@w3.org
On 11/27/11 3:26 PM, Adam Barth wrote:
> The question is only which CSP policy controls the worker.  There's a
> choice about whether it's the CSP policy from the document that
> spawned the worker or whether it's the CSP policy from the script the
> worker is running.  Either is reasonable, the question is which is
> better.

A worker-supplied CSP seems a bit of a conceptual stretch.
Developers are much more likely to think of them as a special kind
of <script> than to think they're more like a hidden <iframe>.

Or to look at it another way, if Workers have their own policy a
page author no longer controls the policy on their own page
(although the exceptions would be encapsulated to the Worker). If
workers inherit CSP then a page author who needs to run a Worker in
a different policy can set up a container <iframe> with that policy
and talk to the worker through postMessage() to that frame. Yeah,
more async intermediates that way, but is it going to be a common case?

-Dan Veditz
Received on Tuesday, 29 November 2011 16:50:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:28 UTC