Re: Workers inheriting CSP

Another possibility is for the worker to be subject to the CSP policy
that comes with it's script.

Also, it's always trivial for a script running in a document to bypass
connect-src.  A better threat model to think about is a site that
executes only trusted script but that might accidentally make an
XMLHttpRequest for a URL supplied by the attacker.  In that model, it
doesn't matter whether a worker uses a different CSP policy from the
main document.


On Sun, Nov 27, 2011 at 12:50 PM, Devdatta Akhawe <> wrote:
> Hi folks
> The CSP draft currently doesn't mention anything about CSP being
> inherited by workers. In particular, a worker's XMLHttpRequest should
> be subject to the original document's connect-src (or default-src as
> the case may be). Else, it is trivial to bypass connect-src.
> -devdatta

Received on Sunday, 27 November 2011 20:56:51 UTC