Re: [CSP] Section 5.1 Workers, is this missing a case?

On Thu, Aug 21, 2014 at 8:24 PM, Kevin Hill <> wrote:

>    I don't understand the question, could you clarify please? If the
> worker's policy is delivered via an HTTP header, it should be
> enforced/monitored for the worker.
>  CSP 1 – says all webworkers get owner document policies.
> CSP Level 2 says data/blob/etc get owner document policies, but http/https
> get their own CSP policy from http header.
> We are looking to clarify what happens when the owner document has a CSP
> policy, but the http/https based webworker doesn’t.

CSP2 treats workers as separate execution environments (just like frames).
They may set a policy, or they may choose not to set a policy.

If a worker delivered over HTTP/HTTPS doesn't set a policy, a policy won't
be enforced in its context.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 22 August 2014 13:21:18 UTC