- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 16 May 2013 18:14:59 +0100
- To: Daniel Veditz <dveditz@mozilla.com>, Ian Hickson <ian@hixie.ch>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, May 16, 2013 at 6:02 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 5/14/2013 12:08 PM, Anne van Kesteren wrote: >> I think it makes more sense to treat opening a worker as creating an >> iframe. That works better for the navigation controller scenario as >> well (the (shared) worker is governed by the controller that governs >> its URL, rather than the document that created it). > > If not from the document which created it how do you define the CSP for a > worker, from a CSP header when it's loaded? In all other cases we're > ignoring CSP headers on script files. Right, but a worker is not a script file. It's a worker, which is intended to be similar to document as far as I understand the design. A worker can import scripts itself using importScripts. I'd argue its CSP policy should be defined by the headers supplied for it. I also don't really see what else would work for shared workers. Might be good if Ian could comment on this, but he's not back for a week or so. -- http://annevankesteren.nl/
Received on Thursday, 16 May 2013 17:15:31 UTC