Re: [whatwg] [Workers] CSP and SharedWorkers

On 26 September 2013 14:57, Jake Archibald <> wrote:

> Note, this only covers registration. If allows
> controllers from, and successfully calls
> registerServiceWorker("/*", ""), that
> controller will be used for all top-level fetches on,
> and all fetches originating from documents on,
> regardless of their CSP headers.

Oops, that's misleading, I mean the existing worker will be used for all
fetches even if the CSP rule of the page has changed to disallow
registering of that worker. The CSP of the page will still govern script
loading, XHR etc. If the page's CSP disallows a resource from a particular
URL, it won't consult the worker at all.

If the page requests an allowed url, and the worker serves up a response
(cached or otherwise) from a not-allowed url, CSP should block it.

(apologies for saying "controller" when I mean "service worker")

Received on Thursday, 26 September 2013 14:28:36 UTC