W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP: workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 14 May 2013 12:08:40 -0700
Message-ID: <CADnb78iMkg-mRJAqfO=SLDU-ztmUeMV6Xyxsjg80X=hGsBk1tw@mail.gmail.com>
To: Alex Russell <slightlyoff@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Tue, May 14, 2013 at 9:55 AM, Alex Russell <slightlyoff@google.com> wrote:
> If it hasn't been worked out yet, my vote is for "no shared workers under
> differing policies". That is to say, if at T0 you open a worker and have a
> CSP policy applied, and at T1 you try the same named worker under a
> different policy, they are not shared.

I think it makes more sense to treat opening a worker as creating an
iframe. That works better for the navigation controller scenario as
well (the (shared) worker is governed by the controller that governs
its URL, rather than the document that created it).

Received on Tuesday, 14 May 2013 19:09:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC