RE: [Workers] CSP and SharedWorkers

> -----Original Message-----
> From: Jonas Sicking [mailto:jonas@sicking.cc]
> What do implementations do with regards to linking <script> to
> blob/data/filesystem? Are they treated like normal protocols, or are they
> treated like eval()? If they are treated like normal protocols then maybe we can
> simply not have any special rules for them and say that for now they never get a
> CSP.

[Hill, Brad] We're working through this at the moment, actually, since we've uncovered issues related to this in testing.  The proposals on the table are:

1) Allow blob/data/filesystem if 'self' (or equivalent) is allowed for everything but script and style, but require unsafe-eval for script and style.

2) Require that these schemes be explicitly listed (exclude them from the * production) with a warning that doing so is equivalent to unsafe-eval.

Happy to hear further thoughts on this.

-Brad

Received on Friday, 27 September 2013 16:02:33 UTC