Closed Bug 1320931 Opened 8 years ago Closed 2 years ago

CSP: Dedicated web workers inherit policy.

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mkwst, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.100 Safari/537.36 Steps to reproduce: Based on discussion at https://github.com/w3c/webappsec-csp/issues/146, it seems reasonable to inherit policy from a document into its dedicated (but not shared/service) workers. Basically, revert https://bugzilla.mozilla.org/show_bug.cgi?id=1223647. Sorry. :(
Component: Activity Streams: General → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Whiteboard: [domsecurity-active]
Priority: P2 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
As a workaround for this. Firefox does respect a CSP header set on the web worker's script file, even though it fails to inherit the document policy. This still needs to be addressed though.

This behavior was reverted or never properly specified. To quote myself in bug 1740944 comment 6:

It seems like the CSP specification wanted workers to inherit at some point, but this was reverted again. The latest issue that I've found is this:

I think there is agreement now. Workers must not inherit CSP directives from the parent context, and rather use their own CSPs as delivered by their response headers.

https://github.com/w3c/webappsec-csp/issues/336

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.