[webkit-dev] Request for Position on Content Security Policy for dedicated workers
antoniosartori at chromium.org
Fri Oct 1 09:07:14 PDT 2021
I would like to ask for Webkit's official position on how Content Security
Policy  for dedicated workers should be delivered. We have had to
possibilities in the past:
(a) Dedicated workers inherit the Content Security Policy from their owner
(b) Dedicated workers use the policy delivered in their resource Content
Security Policy HTTP response headers.
The specced behaviour in CSP3 has initially been to do (a). However,
Mozilla officially requested  to switch to (b) quite some time ago.
The spec since then was refactored (inheritance and CSP initialization
moved from CSP to html), and the specified behaviour is now (b) .
Chrome currently implements (a) while Firefox implements (b). We would like
 to change chrome's behaviour to also adhere to the specified behaviour
and implement (b).
While from the few Web Platform Tests  we have in place I am guessing
WebKit also implements (b), I would like to ask for an official position
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev