It seems like the CSP specification wanted workers to inherit, but this was revert again. The latest issue that I've found is this: > I think there is agreement now. Workers must not inherit CSP directives from the parent context, and rather use their own CSPs as delivered by their response headers. https://github.com/w3c/webappsec-csp/issues/336
Bug 1740944 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
It seems like the CSP specification wanted workers to inherit at some point, but this was reverted again. The latest issue that I've found is this: > I think there is agreement now. Workers must not inherit CSP directives from the parent context, and rather use their own CSPs as delivered by their response headers. https://github.com/w3c/webappsec-csp/issues/336