On Wed, Sep 29, 2021 at 2:14 PM Antonio Sartori <antoniosart...@chromium.org> wrote:
> From a quick search through httparchive (data from > httparchive.requests.2021_07_01_desktop) it looks like out of 549,668 > outgoing requests for dedicated workers, 457,780 of them returned a > Content-Security-Policy header (hence ~80%). As a comparison, from the same > data it looks like ~15% of document requests return a > Content-Security-Policy. > That's a lot! > > Better data could be gathered by building some use counters in chromium's > code. > Unless there's particular urgency here, I think use-counters would make sense here. That can give us confidence that content won't break as a result of this change in CSP rule application. > > I have not looked into how often that would remove restrictions from > existing web contents. I don't see an easy way to do it without adding code > to chrome to check both the inherited and the response CSP for each > outgoing request from a worker and report when the two checks mismatch. It > is surely doable but I have the impression it might be overkilled in this > case. > > Since the proposed behaviour is already implemented by Firefox (and it > seems also by Safari), I believe the probability of this breaking something > to be fairly low (developer would have noticed their websites not working > on Firefox/Safari already). > > On Wed, Sep 29, 2021 at 1:21 PM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> Have you looked into the compatibility implications of changing behavior >> here? How often would that remove restrictions from existing web content? >> How often do dedicated workers currently get CSP headers which will now be >> applied? >> >> On Mon, Sep 27, 2021 at 12:50 PM Antonio Sartori < >> antoniosart...@chromium.org> wrote: >> >>> Contact emailsantoniosart...@chromium.org >>> >>> Specification >>> https://html.spec.whatwg.org/#initialize-worker-policy-container >>> >>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#csp_in_workers >>> >>> Summary >>> >>> Dedicated workers should be governed by the Content Security Policy >>> delivered in their script response headers. Chrome incorrectly used to >>> instead apply the Content Security Policy of the owner document. We would >>> like to change chrome's behaviour to adhere to what is specified. >>> >>> >>> For background, see the discussion on the github issue where this was >>> agreed: https://github.com/w3c/webappsec-csp/issues/336 >>> >>> >>> Blink componentBlink>SecurityFeature>ContentSecurityPolicy >>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3EContentSecurityPolicy> >>> >>> TAG review >>> >>> TAG review statusNot applicable >>> >>> Risks >>> >>> >>> Interoperability and Compatibility >>> >>> >>> >>> Gecko: Shipped/Shipping See also the discussion on the issue >>> https://github.com/w3c/webappsec-csp/issues/336 >>> >>> WebKit: N/A >>> >> Why N/A? > >>> Web developers: Positive ( >>> https://bugs.chromium.org/p/chromium/issues/detail?id=1012640) This has >>> been reported as a bug to chrome. >>> >>> >>> Debuggability >>> >>> Warnings regarding Content Security Policy are and will continue to be >>> reported in the devtools console. >>> >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>> ?Yes >>> >>> Flag name >>> >>> Requires code in //chrome?False >>> >>> Tracking bug >>> https://bugs.chromium.org/p/chromium/issues/detail?id=1253267 >>> >>> Estimated milestones >>> >>> No milestones specified >>> >>> >>> Link to entry on the Chrome Platform Status >>> https://chromestatus.com/feature/5715844005888000 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://www.chromestatus.com/>. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF5EX2mHofXHLK_V7VTQ5v%3DPcunu_BiF%2BzFJQTFy9DSwTQ%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOzWxF5EX2mHofXHLK_V7VTQ5v%3DPcunu_BiF%2BzFJQTFy9DSwTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWF40NxdS1eQxZngFJF8ZeRmHP8RurTTMQq%3DYedpwUCeA%40mail.gmail.com.
