Re: [CSP] Section 5.1 Workers, is this missing a case?

On Thu, Aug 21, 2014 at 8:24 PM, Kevin Hill <khill@microsoft.com> wrote:

>    I don't understand the question, could you clarify please? If the
> worker's policy is delivered via an HTTP header, it should be
> enforced/monitored for the worker.
>
>  CSP 1 – says all webworkers get owner document policies.
>
>
>
> CSP Level 2 says data/blob/etc get owner document policies, but http/https
> get their own CSP policy from http header.
>
>
>
> We are looking to clarify what happens when the owner document has a CSP
> policy, but the http/https based webworker doesn’t.
>

CSP2 treats workers as separate execution environments (just like frames).
They may set a policy, or they may choose not to set a policy.

If a worker delivered over HTTP/HTTPS doesn't set a policy, a policy won't
be enforced in its context.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Friday, 22 August 2014 13:21:18 UTC