I'm not sure I agree with my own comment -- that's an insane fall-back path. Might ease some backwards compatibility problems, but we don't know how many of those there will be. But then we have to live with the insanity forever.
-Dan Veditz On Mon, Sep 25, 2017 at 1:01 AM, Christoph Kerschbaumer <ckers...@gmail.com> wrote: > > On Sep 22, 2017, at 10:27 PM, Daniel Veditz <dved...@mozilla.com> wrote: > Christoph said > >> For backwards compatibility child-src will still be enforced for: >> * workers (if worker-src is not explicitly specified) >> > > But the spec says the fallback is script-src. Surely anyone who uses > child-src will also have a script-src so how is this going to work? How > does Chrome work? > > > It’s too confusing, but that’s why I initially filed > https://github.com/w3c/webappsec-csp/issues/238, because the spec still > mentioned that child-src will govern workers in the absence of worker-src. > > > Filed https://github.com/w3c/webappsec-csp/issues/239 to remove the > worker mentions from child-src since the rest of the spec (including the > algorithm in that section) implies that's incorrect. > > > Ultimately I agree with your comment in issue 238. Probably the fallback > should be, worker-src, child-src, and then script-src, default-src. Either > way, I think we can find a solution within issue 239, thanks for filing. > > > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform