Closed
Bug 1320931
Opened 8 years ago
Closed 3 years ago
CSP: Dedicated web workers inherit policy.
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: mkwst, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.100 Safari/537.36
Steps to reproduce:
Based on discussion at https://github.com/w3c/webappsec-csp/issues/146, it seems reasonable to inherit policy from a document into its dedicated (but not shared/service) workers.
Basically, revert https://bugzilla.mozilla.org/show_bug.cgi?id=1223647. Sorry. :(
Updated•8 years ago
|
Component: Activity Streams: General → DOM: Security
Product: Firefox → Core
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Whiteboard: [domsecurity-active]
Updated•8 years ago
|
Priority: P2 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Comment 1•7 years ago
|
||
As a workaround for this. Firefox does respect a CSP header set on the web worker's script file, even though it fails to inherit the document policy.
This still needs to be addressed though.
This behavior was reverted or never properly specified. To quote myself in bug 1740944 comment 6:
It seems like the CSP specification wanted workers to inherit at some point, but this was reverted again. The latest issue that I've found is this:
I think there is agreement now. Workers must not inherit CSP directives from the parent context, and rather use their own CSPs as delivered by their response headers.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•