[CSP] Section 5.1 Workers, is this missing a case? from Kevin Hill on 2014-08-18 (public-webappsec@w3.org from August 2014)

From: Kevin Hill <khill@microsoft.com>
Date: Mon, 18 Aug 2014 22:36:43 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <faa475dacc2f4924b866e2685f12503a@SN2PR03MB031.namprd03.prod.outlook.com>

5.1 Whenever a user agent runs a worker<https://w3c.github.io/webappsec/specs/content-security-policy/#runs-a-worker>:

*       If the worker's script's origin is a globally unique identifier<https://w3c.github.io/webappsec/specs/content-security-policy/#globally-unique-identifier> (for example, the worker's script's URL has a scheme of data, blob, or filesystem), then:

o   If the user agent is enforcing a CSP policy for the owner document, the user agent MUST enforce the CSP policy for the worker.

o   If the user agent is monitoring a CSP policy for the owner document, the user agent MUST monitor the CSP policy for the worker.

*       Otherwise:

o   If the worker's script is delivered with a Content-Security-Policy HTTP header containing the value policy, the user agent MUST enforce<https://w3c.github.io/webappsec/specs/content-security-policy/#enforce> policy for the worker.

o   If the worker's script is delivered with a Content-Security-Policy-Report-Only HTTP header containing the value policy, the user agent MUST monitor<https://w3c.github.io/webappsec/specs/content-security-policy/#monitor> policy for the worker.

Is it possible to have a user agent enforcing a CSP policy for the owner document, and a web worker doesn't have a CSP policy?
There isn't a mention of if a policy was delivered over http/https, is this by design, or is this case missing.

Received on Monday, 18 August 2014 22:37:25 UTC