Have you looked into the compatibility implications of changing behavior here? How often would that remove restrictions from existing web content? How often do dedicated workers currently get CSP headers which will now be applied?
On Mon, Sep 27, 2021 at 12:50 PM Antonio Sartori < antoniosart...@chromium.org> wrote: > Contact emailsantoniosart...@chromium.org > > Specification > https://html.spec.whatwg.org/#initialize-worker-policy-container > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#csp_in_workers > > Summary > > Dedicated workers should be governed by the Content Security Policy > delivered in their script response headers. Chrome incorrectly used to > instead apply the Content Security Policy of the owner document. We would > like to change chrome's behaviour to adhere to what is specified. > > > For background, see the discussion on the github issue where this was > agreed: https://github.com/w3c/webappsec-csp/issues/336 > > > Blink componentBlink>SecurityFeature>ContentSecurityPolicy > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> > > TAG review > > TAG review statusNot applicable > > Risks > > > Interoperability and Compatibility > > > > Gecko: Shipped/Shipping See also the discussion on the issue > https://github.com/w3c/webappsec-csp/issues/336 > > WebKit: N/A > > Web developers: Positive ( > https://bugs.chromium.org/p/chromium/issues/detail?id=1012640) This has > been reported as a bug to chrome. > > > Debuggability > > Warnings regarding Content Security Policy are and will continue to be > reported in the devtools console. > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ?Yes > > Flag name > > Requires code in //chrome?False > > Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1253267 > > Estimated milestones > > No milestones specified > > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5715844005888000 > > This intent message was generated by Chrome Platform Status > <https://www.chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF5EX2mHofXHLK_V7VTQ5v%3DPcunu_BiF%2BzFJQTFy9DSwTQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF5EX2mHofXHLK_V7VTQ5v%3DPcunu_BiF%2BzFJQTFy9DSwTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfV3yHTJGJJF5XH%2Bm5NuAMQXUPeEtygUERoAK-kYDjGh-w%40mail.gmail.com.
