W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2013

Re: CSP: workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 16 May 2013 18:14:59 +0100
Message-ID: <CADnb78i5sB9LuCif83b4n7Xf6D-CarPziPv8VecZ0yy84Y-sEw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>, Ian Hickson <ian@hixie.ch>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, May 16, 2013 at 6:02 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 5/14/2013 12:08 PM, Anne van Kesteren wrote:
>> I think it makes more sense to treat opening a worker as creating an
>> iframe. That works better for the navigation controller scenario as
>> well (the (shared) worker is governed by the controller that governs
>> its URL, rather than the document that created it).
> If not from the document which created it how do you define the CSP for a
> worker, from a CSP header when it's loaded? In all other cases we're
> ignoring CSP headers on script files.

Right, but a worker is not a script file. It's a worker, which is
intended to be similar to document as far as I understand the design.
A worker can import scripts itself using importScripts.

I'd argue its CSP policy should be defined by the headers supplied for
it. I also don't really see what else would work for shared workers.

Might be good if Ian could comment on this, but he's not back for a week or so.

Received on Thursday, 16 May 2013 17:15:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC