Re: Workers inheriting CSP

On 11/27/11 3:26 PM, Adam Barth wrote:
> The question is only which CSP policy controls the worker.  There's a
> choice about whether it's the CSP policy from the document that
> spawned the worker or whether it's the CSP policy from the script the
> worker is running.  Either is reasonable, the question is which is
> better.

A worker-supplied CSP seems a bit of a conceptual stretch.
Developers are much more likely to think of them as a special kind
of <script> than to think they're more like a hidden <iframe>.

Or to look at it another way, if Workers have their own policy a
page author no longer controls the policy on their own page
(although the exceptions would be encapsulated to the Worker). If
workers inherit CSP then a page author who needs to run a Worker in
a different policy can set up a container <iframe> with that policy
and talk to the worker through postMessage() to that frame. Yeah,
more async intermediates that way, but is it going to be a common case?

-Dan Veditz

Received on Tuesday, 29 November 2011 16:50:01 UTC