CSP, Blob Workers, and Firefox from Paul Frazee on 2014-04-19 (public-webappsec@w3.org from April 2014)

From: Paul Frazee <pfrazee@gmail.com>
Date: Sat, 19 Apr 2014 08:58:06 -0500
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAD4FMeg8vn1=ynRXSvFk4kor3THn2SaMfqqX0xCddaK6sWtnaw@mail.gmail.com>

I've got an edge case that the Firefox guys see as undefined in the CSP
spec.

Bug report here: https://bugzilla.mozilla.org/show_bug.cgi?id=964276

Shouldn't blob URIs take the origin that they've been created within? If
so, script-src 'self' ought to allow the Worker to load.

Paul F

Received on Saturday, 19 April 2014 13:59:14 UTC