W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

ACTION-146, propose spec text for Workers

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 18 Nov 2013 16:07:40 -0800
Message-ID: <CAEeYn8iOs_qHPCruTwftWEN8wxz2zMxtigu+eWzxSArsnhTa2Q@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
<hat = individual>

We have had some discussions on how to treat Workers, with one idea that
they should be treated more like a separate document context with their own
policy, instead of like another script.  The current text states:

Whenever a user agent runs a
worker<http://www.w3.org/TR/workers/#run-a-worker>:
[WEBWORKERS<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#bib-WEBWORKERS>
]

   - If the user agent is enforcing a CSP policy for the owner document,
   the user agent *must* enforce the CSP policy for the worker.
   - If the user agent is monitoring a CSP policy for the owner document,
   the user agent *must* monitor the CSP policy for the worker.



I'd like to propose the following new text, with a dependency on the
resolution of ACTION-149:

Whenever a user agent runs a
Worker<http://www.w3.org/TR/workers/#run-a-worker>:
[WEBWORKERS<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#bib-WEBWORKERS>
]

   - If the worker is created from a URI scheme such as "blob:",
   "filesystem:", "data:" or "javascript:", the worker inherits whatever
   security policies are currently be enforced or monitored for the owner
   document.
   - Otherwise the worker is subject to whatever policies are attached to
   the resource used to create the worker.


Does anyone know if a SharedWorker can be created with "data:"
"javascript:" or "blob:"?

-Brad
Received on Tuesday, 19 November 2013 00:08:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 19 November 2013 00:08:10 UTC