ACTION-146, propose spec text for Workers

<hat = individual>

We have had some discussions on how to treat Workers, with one idea that
they should be treated more like a separate document context with their own
policy, instead of like another script.  The current text states:

Whenever a user agent runs a
worker<http://www.w3.org/TR/workers/#run-a-worker>:
[WEBWORKERS<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#bib-WEBWORKERS>
]

   - If the user agent is enforcing a CSP policy for the owner document,
   the user agent *must* enforce the CSP policy for the worker.
   - If the user agent is monitoring a CSP policy for the owner document,
   the user agent *must* monitor the CSP policy for the worker.



I'd like to propose the following new text, with a dependency on the
resolution of ACTION-149:

Whenever a user agent runs a
Worker<http://www.w3.org/TR/workers/#run-a-worker>:
[WEBWORKERS<https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#bib-WEBWORKERS>
]

   - If the worker is created from a URI scheme such as "blob:",
   "filesystem:", "data:" or "javascript:", the worker inherits whatever
   security policies are currently be enforced or monitored for the owner
   document.
   - Otherwise the worker is subject to whatever policies are attached to
   the resource used to create the worker.


Does anyone know if a SharedWorker can be created with "data:"
"javascript:" or "blob:"?

-Brad

Received on Tuesday, 19 November 2013 00:08:09 UTC