On 11/19/2013 11:30 AM, Hill, Brad wrote: > Actually, as I think more about it, perhaps workers should be > properly be controlled by frame-src, not script-src. After all, > they're a distinct child browsing context. We already find we need > to special-case srcdoc, data:, etc. there, and could apply the same > treatment to Workers. I could go for that. It makes a decision to use the CSP in the worker script's headers seem a lot less odd. What do we break if we change things now? Any Worker-using site that had frame-src 'none' instead of 'self' or something broader. > I suppose a better name would be "child-src", but probably too late > for that. We could deprecate frame-src and browsers could support both for a while as synonyms. Not sure it's worth it though. -Dan Veditz
Received on Tuesday, 19 November 2013 20:58:39 UTC