Re: ACTION-146, propose spec text for Workers from Daniel Veditz on 2013-11-19 (public-webappsec@w3.org from November 2013)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 19 Nov 2013 12:58:10 -0800
To: "Hill, Brad" <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <528BD0E2.9040301@mozilla.com>

On 11/19/2013 11:30 AM, Hill, Brad wrote:
> Actually, as I think more about it, perhaps workers should be
> properly be controlled by frame-src, not script-src.  After all,
> they're a distinct child browsing context.  We already find we need
> to special-case srcdoc, data:, etc. there, and could apply the same
> treatment to Workers.

I could go for that. It makes a decision to use the CSP in the worker
script's headers seem a lot less odd.

What do we break if we change things now? Any Worker-using site that had
frame-src 'none' instead of 'self' or something broader.

> I suppose a better name would be "child-src", but probably too late
> for that.

We could deprecate frame-src and browsers could support both for a while
as synonyms. Not sure it's worth it though.

-Dan Veditz

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Tuesday, 19 November 2013 20:58:39 UTC