W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP: workers

From: Alex Russell <slightlyoff@google.com>
Date: Tue, 14 May 2013 09:55:37 -0700
Message-ID: <CANr5HFWdg13FDN1brfTc5yeHedVwnM97iGXt+CeEU4Ps=C8RKg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Saturday, May 11, 2013, Anne van Kesteren wrote:

> On Fri, May 10, 2013 at 1:18 PM, Anne van Kesteren <annevk@annevk.nl<javascript:;>>
> wrote:
> > What happens with multiple documents with distinct CSP headers that
> > use a shared worker?
>
> So someone told me that the idea of workers was more or less to be
> background documents. From that perspective CSP should apply to them
> directly really (and for the controller idea they would be treated
> similarly to a browsing context navigation), though I guess you still
> want to do the same things you do with <iframe> where sometimes you
> inherit the policy (e.g. for data URLs).
>

Unless I misunderstand the question, shared workers can live outside the
policy of a single document, meaning that at T0, index.html can be served
with a liberal policy and create a named shared worker. At T1, the same
document can be opened in a different page under a more restrictive policy
(but one which obviously allows use of the worker script). This is the
degenerate case of the broader set of questions that arise about multiple
documents connecting to the same worker but under different CSP policies.

The question seems to remain: how to set the policy?

If it hasn't been worked out yet, my vote is for "no shared workers under
differing policies". That is to say, if at T0 you open a worker and have a
CSP policy applied, and at T1 you try the same named worker under a
different policy, they are not shared.
Received on Tuesday, 14 May 2013 16:56:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC