W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: ACTION-146, propose spec text for Workers

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 19 Nov 2013 12:58:10 -0800
Message-ID: <528BD0E2.9040301@mozilla.com>
To: "Hill, Brad" <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/19/2013 11:30 AM, Hill, Brad wrote:
> Actually, as I think more about it, perhaps workers should be
> properly be controlled by frame-src, not script-src.  After all,
> they're a distinct child browsing context.  We already find we need
> to special-case srcdoc, data:, etc. there, and could apply the same
> treatment to Workers.

I could go for that. It makes a decision to use the CSP in the worker
script's headers seem a lot less odd.

What do we break if we change things now? Any Worker-using site that had
frame-src 'none' instead of 'self' or something broader.

> I suppose a better name would be "child-src", but probably too late
> for that.

We could deprecate frame-src and browsers could support both for a while
as synonyms. Not sure it's worth it though.

-Dan Veditz

Received on Tuesday, 19 November 2013 20:58:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC