- From: Mike West <mkwst@google.com>
- Date: Tue, 19 Aug 2014 09:21:34 +0200
- To: Kevin Hill <khill@microsoft.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 19 August 2014 07:22:22 UTC
On Tue, Aug 19, 2014 at 12:36 AM, Kevin Hill <khill@microsoft.com> wrote: > Is it possible to have a user agent enforcing a CSP policy for the owner > document, and a web worker doesn’t have a CSP policy? > Yes, just as it's possible for a page to embed a frame that doesn't have an enforced policy. > There isn’t a mention of if a policy was delivered over http/https, is > this by design, or is this case missing. > I don't understand the question, could you clarify please? If the worker's policy is delivered via an HTTP header, it should be enforced/monitored for the worker. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 19 August 2014 07:22:22 UTC