- From: Mike West <mkwst@google.com>
- Date: Fri, 22 Aug 2014 15:20:29 +0200
- To: Kevin Hill <khill@microsoft.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 22 August 2014 13:21:18 UTC
On Thu, Aug 21, 2014 at 8:24 PM, Kevin Hill <khill@microsoft.com> wrote: > I don't understand the question, could you clarify please? If the > worker's policy is delivered via an HTTP header, it should be > enforced/monitored for the worker. > > CSP 1 – says all webworkers get owner document policies. > > > > CSP Level 2 says data/blob/etc get owner document policies, but http/https > get their own CSP policy from http header. > > > > We are looking to clarify what happens when the owner document has a CSP > policy, but the http/https based webworker doesn’t. > CSP2 treats workers as separate execution environments (just like frames). They may set a policy, or they may choose not to set a policy. If a worker delivered over HTTP/HTTPS doesn't set a policy, a policy won't be enforced in its context. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 22 August 2014 13:21:18 UTC