Re: CSP: workers from Alex Russell on 2013-05-11 (public-webappsec@w3.org from May 2013)

From: Alex Russell <slightlyoff@google.com>
Date: Fri, 10 May 2013 18:58:43 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CANr5HFUXU2a868-5ynG9mEKoNFVx89x0oNL=6WBtNULruJLApQ@mail.gmail.com>

Their ability to connect to such a worker is gated by CSP, but in terms of
the overall policy applied, e.g., for XHR -- I don't think there is a good
answer.

Possible options: inherit the policy from first doc (possibly loose than
later-connecting docs), or "if policies don't match, spawn new worker". I
think the latter is the only sane solution, but there are probably other
communication channels for same-origin docs that can create such capability
leaks, even without workers of any kind.
On May 10, 2013 1:19 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> What happens with multiple documents with distinct CSP headers that
> use a shared worker?
>
>
> --
> http://annevankesteren.nl/
>
>

Received on Saturday, 11 May 2013 01:59:11 UTC