>From a quick search through httparchive (data from httparchive.requests.2021_07_01_desktop) it looks like out of 549,668 outgoing requests for dedicated workers, 457,780 of them returned a Content-Security-Policy header (hence ~80%). As a comparison, from the same data it looks like ~15% of document requests return a Content-Security-Policy.
Better data could be gathered by building some use counters in chromium's code. I have not looked into how often that would remove restrictions from existing web contents. I don't see an easy way to do it without adding code to chrome to check both the inherited and the response CSP for each outgoing request from a worker and report when the two checks mismatch. It is surely doable but I have the impression it might be overkilled in this case. Since the proposed behaviour is already implemented by Firefox (and it seems also by Safari), I believe the probability of this breaking something to be fairly low (developer would have noticed their websites not working on Firefox/Safari already). On Wed, Sep 29, 2021 at 1:21 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > Have you looked into the compatibility implications of changing behavior > here? How often would that remove restrictions from existing web content? > How often do dedicated workers currently get CSP headers which will now be > applied? > > On Mon, Sep 27, 2021 at 12:50 PM Antonio Sartori < > antoniosart...@chromium.org> wrote: > >> Contact emailsantoniosart...@chromium.org >> >> Specification >> https://html.spec.whatwg.org/#initialize-worker-policy-container >> >> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#csp_in_workers >> >> Summary >> >> Dedicated workers should be governed by the Content Security Policy >> delivered in their script response headers. Chrome incorrectly used to >> instead apply the Content Security Policy of the owner document. We would >> like to change chrome's behaviour to adhere to what is specified. >> >> >> For background, see the discussion on the github issue where this was >> agreed: https://github.com/w3c/webappsec-csp/issues/336 >> >> >> Blink componentBlink>SecurityFeature>ContentSecurityPolicy >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> >> >> TAG review >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> >> >> Gecko: Shipped/Shipping See also the discussion on the issue >> https://github.com/w3c/webappsec-csp/issues/336 >> >> WebKit: N/A >> >> Web developers: Positive ( >> https://bugs.chromium.org/p/chromium/issues/detail?id=1012640) This has >> been reported as a bug to chrome. >> >> >> Debuggability >> >> Warnings regarding Content Security Policy are and will continue to be >> reported in the devtools console. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ?Yes >> >> Flag name >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1253267 >> >> Estimated milestones >> >> No milestones specified >> >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5715844005888000 >> >> This intent message was generated by Chrome Platform Status >> <https://www.chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF5EX2mHofXHLK_V7VTQ5v%3DPcunu_BiF%2BzFJQTFy9DSwTQ%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF5EX2mHofXHLK_V7VTQ5v%3DPcunu_BiF%2BzFJQTFy9DSwTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF4Oyiz%3D7HrJv-mnab%2BYps1g1F5QkvpB3n4CPve7G%3De_DQ%40mail.gmail.com.
