Re: Workers inheriting CSP from Adam Barth on 2011-11-27 (public-web-security@w3.org from November 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 27 Nov 2011 12:55:49 -0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: public-web-security@w3.org
Message-ID: <CAJE5ia_tLasmbKqJHM8EC8gwQCQOog_UStJ4_FShhjRXawwKRQ@mail.gmail.com>

Another possibility is for the worker to be subject to the CSP policy
that comes with it's script.

Also, it's always trivial for a script running in a document to bypass
connect-src.  A better threat model to think about is a site that
executes only trusted script but that might accidentally make an
XMLHttpRequest for a URL supplied by the attacker.  In that model, it
doesn't matter whether a worker uses a different CSP policy from the
main document.

Adam

On Sun, Nov 27, 2011 at 12:50 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Hi folks
>
> The CSP draft currently doesn't mention anything about CSP being
> inherited by workers. In particular, a worker's XMLHttpRequest should
> be subject to the original document's connect-src (or default-src as
> the case may be). Else, it is trivial to bypass connect-src.
>
> -devdatta
>
>

Received on Sunday, 27 November 2011 20:56:51 UTC