- From: Kevin Hill <khill@microsoft.com>
- Date: Thu, 21 Aug 2014 18:24:11 +0000
- To: Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 21 August 2014 18:24:41 UTC
I don't understand the question, could you clarify please? If the worker's policy is delivered via an HTTP header, it should be enforced/monitored for the worker. CSP 1 – says all webworkers get owner document policies. CSP Level 2 says data/blob/etc get owner document policies, but http/https get their own CSP policy from http header. We are looking to clarify what happens when the owner document has a CSP policy, but the http/https based webworker doesn’t. CSP 1.0 snippet Whenever a user agent runs a worker<http://www.w3.org/TR/workers/#run-a-worker>: [WEBWORKERS<http://www.w3.org/TR/CSP/#bib-WEBWORKERS>] * If the user agent is enforcing a CSP policy for the owner document, the user agent must enforce the CSP policy for the worker. · If the user agent is monitoring a CSP policy for the owner document, the user agent must monitor the CSP policy for the worker.
Received on Thursday, 21 August 2014 18:24:41 UTC