Re: [CSP] Section 5.1 Workers, is this missing a case?

On Tue, Aug 19, 2014 at 12:36 AM, Kevin Hill <khill@microsoft.com> wrote:

>  Is it possible to have a user agent enforcing a CSP policy for the owner
> document, and a web worker doesn’t have a CSP policy?
>

Yes, just as it's possible for a page to embed a frame that doesn't have an
enforced policy.


>  There isn’t a mention of if a policy was delivered over http/https, is
> this by design, or is this case missing.
>

I don't understand the question, could you clarify please? If the worker's
policy is delivered via an HTTP header, it should be enforced/monitored for
the worker.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 19 August 2014 07:22:22 UTC