- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 18 Nov 2013 16:07:40 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8iOs_qHPCruTwftWEN8wxz2zMxtigu+eWzxSArsnhTa2Q@mail.gmail.com>
<hat = individual> We have had some discussions on how to treat Workers, with one idea that they should be treated more like a separate document context with their own policy, instead of like another script. The current text states: Whenever a user agent runs a worker<http://www.w3.org/TR/workers/#run-a-worker>: [WEBWORKERS<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#bib-WEBWORKERS> ] - If the user agent is enforcing a CSP policy for the owner document, the user agent *must* enforce the CSP policy for the worker. - If the user agent is monitoring a CSP policy for the owner document, the user agent *must* monitor the CSP policy for the worker. I'd like to propose the following new text, with a dependency on the resolution of ACTION-149: Whenever a user agent runs a Worker<http://www.w3.org/TR/workers/#run-a-worker>: [WEBWORKERS<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#bib-WEBWORKERS> ] - If the worker is created from a URI scheme such as "blob:", "filesystem:", "data:" or "javascript:", the worker inherits whatever security policies are currently be enforced or monitored for the owner document. - Otherwise the worker is subject to whatever policies are attached to the resource used to create the worker. Does anyone know if a SharedWorker can be created with "data:" "javascript:" or "blob:"? -Brad
Received on Tuesday, 19 November 2013 00:08:09 UTC