Hello Webkit-dev, I would like to ask for Webkit's official position on how Content Security Policy [1] for dedicated workers should be delivered. We have had to possibilities in the past:
(a) Dedicated workers inherit the Content Security Policy from their owner context. (b) Dedicated workers use the policy delivered in their resource Content Security Policy HTTP response headers. The specced behaviour in CSP3 has initially been to do (a). However, Mozilla officially requested [2] to switch to (b) quite some time ago. The spec since then was refactored (inheritance and CSP initialization moved from CSP to html), and the specified behaviour is now (b) [3]. Chrome currently implements (a) while Firefox implements (b). We would like [4] to change chrome's behaviour to also adhere to the specified behaviour and implement (b). While from the few Web Platform Tests [5] we have in place I am guessing WebKit also implements (b), I would like to ask for an official position here. Thanks, Antonio [1] https://w3c.github.io/webappsec-csp/ [2] https://github.com/w3c/webappsec-csp/issues/336#issuecomment-423165240 [3] https://html.spec.whatwg.org/#initialize-worker-policy-container [4] https://chromestatus.com/feature/5715844005888000 [5] https://wpt.fyi/results/content-security-policy/inside-worker?label=experimental&label=master&aligned
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev