- From: Alex Russell <slightlyoff@google.com>
- Date: Tue, 14 May 2013 09:55:37 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CANr5HFWdg13FDN1brfTc5yeHedVwnM97iGXt+CeEU4Ps=C8RKg@mail.gmail.com>
On Saturday, May 11, 2013, Anne van Kesteren wrote: > On Fri, May 10, 2013 at 1:18 PM, Anne van Kesteren <annevk@annevk.nl<javascript:;>> > wrote: > > What happens with multiple documents with distinct CSP headers that > > use a shared worker? > > So someone told me that the idea of workers was more or less to be > background documents. From that perspective CSP should apply to them > directly really (and for the controller idea they would be treated > similarly to a browsing context navigation), though I guess you still > want to do the same things you do with <iframe> where sometimes you > inherit the policy (e.g. for data URLs). > Unless I misunderstand the question, shared workers can live outside the policy of a single document, meaning that at T0, index.html can be served with a liberal policy and create a named shared worker. At T1, the same document can be opened in a different page under a more restrictive policy (but one which obviously allows use of the worker script). This is the degenerate case of the broader set of questions that arise about multiple documents connecting to the same worker but under different CSP policies. The question seems to remain: how to set the policy? If it hasn't been worked out yet, my vote is for "no shared workers under differing policies". That is to say, if at T0 you open a worker and have a CSP policy applied, and at T1 you try the same named worker under a different policy, they are not shared.
Received on Tuesday, 14 May 2013 16:56:04 UTC