Re: [w3ctag/design-reviews] [TPAC][HTML General Review]: how to decide if workers are subresources or separate contexts (#310) from Mike West on 2018-10-23 (public-webapps-github@w3.org from October 2018)

From: Mike West <notifications@github.com>
Date: Tue, 23 Oct 2018 04:43:19 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/310/432212741@github.com>

The specific issue we were debating in WebAppSec was whether or not a document's Content Security Policy (and Referrer Policy, et al) should be inherited by a dedicated worker, or whether the dedicated worker ought to be considered a distinct environment entirely with its own policy (which is the model we use for `<iframe>`, as well as Shared Workers and Service Workers).

Firefox implements the latter model, while Chrome implements the former. This is unfortunate, and we need some help working out the principles at play here.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/310#issuecomment-432212741

Received on Tuesday, 23 October 2018 11:43:41 UTC