- From: Kevin Hill <khill@microsoft.com>
- Date: Mon, 18 Aug 2014 22:36:43 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <faa475dacc2f4924b866e2685f12503a@SN2PR03MB031.namprd03.prod.outlook.com>
5.1 Whenever a user agent runs a worker<https://w3c.github.io/webappsec/specs/content-security-policy/#runs-a-worker>: * If the worker's script's origin is a globally unique identifier<https://w3c.github.io/webappsec/specs/content-security-policy/#globally-unique-identifier> (for example, the worker's script's URL has a scheme of data, blob, or filesystem), then: o If the user agent is enforcing a CSP policy for the owner document, the user agent MUST enforce the CSP policy for the worker. o If the user agent is monitoring a CSP policy for the owner document, the user agent MUST monitor the CSP policy for the worker. * Otherwise: o If the worker's script is delivered with a Content-Security-Policy HTTP header containing the value policy, the user agent MUST enforce<https://w3c.github.io/webappsec/specs/content-security-policy/#enforce> policy for the worker. o If the worker's script is delivered with a Content-Security-Policy-Report-Only HTTP header containing the value policy, the user agent MUST monitor<https://w3c.github.io/webappsec/specs/content-security-policy/#monitor> policy for the worker. Is it possible to have a user agent enforcing a CSP policy for the owner document, and a web worker doesn't have a CSP policy? There isn't a mention of if a policy was delivered over http/https, is this by design, or is this case missing.
Received on Monday, 18 August 2014 22:37:25 UTC