[webkit-dev] Request for Position on Content Security Policy for dedicated workers

Antonio Sartori antoniosartori at chromium.org
Fri Oct 1 09:07:14 PDT 2021

Hello Webkit-dev,

I would like to ask for Webkit's official position on how Content Security
Policy [1] for dedicated workers should be delivered. We have had to
possibilities in the past:

(a) Dedicated workers inherit the Content Security Policy from their owner
(b) Dedicated workers use the policy delivered in their resource Content
Security Policy HTTP response headers.

The specced behaviour in CSP3 has initially been to do (a). However,
Mozilla officially requested [2] to switch to (b) quite some time ago.

The spec since then was refactored (inheritance and CSP initialization
moved from CSP to html), and the specified behaviour is now (b) [3].

Chrome currently implements (a) while Firefox implements (b). We would like
[4] to change chrome's behaviour to also adhere to the specified behaviour
and implement (b).

While from the few Web Platform Tests [5] we have in place I am guessing
WebKit also implements (b), I would like to ask for an official position


[1] https://w3c.github.io/webappsec-csp/
[2] https://github.com/w3c/webappsec-csp/issues/336#issuecomment-423165240
[3] https://html.spec.whatwg.org/#initialize-worker-policy-container
[4] https://chromestatus.com/feature/5715844005888000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20211001/1c45860e/attachment.htm>

More information about the webkit-dev mailing list