Workers inheriting CSP from Devdatta Akhawe on 2011-11-27 (public-web-security@w3.org from November 2011)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 27 Nov 2011 12:50:40 -0800
To: public-web-security@w3.org
Message-ID: <CAPfop_03e8_zB460yH8D9oUhLq0yk7yiTRBFvZ-T5SgpncZC6w@mail.gmail.com>

Hi folks

The CSP draft currently doesn't mention anything about CSP being
inherited by workers. In particular, a worker's XMLHttpRequest should
be subject to the original document's connect-src (or default-src as
the case may be). Else, it is trivial to bypass connect-src.

-devdatta

Received on Sunday, 27 November 2011 20:51:28 UTC