- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 29 Nov 2011 08:49:17 -0800
- To: public-web-security@w3.org
On 11/27/11 3:26 PM, Adam Barth wrote: > The question is only which CSP policy controls the worker. There's a > choice about whether it's the CSP policy from the document that > spawned the worker or whether it's the CSP policy from the script the > worker is running. Either is reasonable, the question is which is > better. A worker-supplied CSP seems a bit of a conceptual stretch. Developers are much more likely to think of them as a special kind of <script> than to think they're more like a hidden <iframe>. Or to look at it another way, if Workers have their own policy a page author no longer controls the policy on their own page (although the exceptions would be encapsulated to the Worker). If workers inherit CSP then a page author who needs to run a Worker in a different policy can set up a container <iframe> with that policy and talk to the worker through postMessage() to that frame. Yeah, more async intermediates that way, but is it going to be a common case? -Dan Veditz
Received on Tuesday, 29 November 2011 16:50:01 UTC