RE: [CSP] Section 5.1 Workers, is this missing a case?

I don't understand the question, could you clarify please? If the worker's policy is delivered via an HTTP header, it should be enforced/monitored for the worker.

CSP 1 – says all webworkers get owner document policies.

CSP Level 2 says data/blob/etc get owner document policies, but http/https get their own CSP policy from http header.

We are looking to clarify what happens when the owner document has a CSP policy, but the http/https based webworker doesn’t.

CSP 1.0 snippet
Whenever a user agent runs a worker<http://www.w3.org/TR/workers/#run-a-worker>: [WEBWORKERS<http://www.w3.org/TR/CSP/#bib-WEBWORKERS>]

  *   If the user agent is enforcing a CSP policy for the owner document, the user agent must enforce the CSP policy for the worker.
·  If the user agent is monitoring a CSP policy for the owner document, the user agent must monitor the CSP policy for the worker.

Received on Thursday, 21 August 2014 18:24:41 UTC