On Fri, Sep 22, 2017 at 7:24 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> > We plan to ship the CSP directive worker-src within Firefox 58. > > Will we also start enforcing script-src for workers? It seems good > that if you restrict script it actually stops all scripts. > Yes. That's what we enforced under our original proposal and under CSP1. Then the spec changed in a non-backwards compatible way and left worker scripts unprotected by default (caused a bunch of Firefox OS breakage). Now it's changing again in CSP3, and breaking backwards compatibility again. Christoph said > For backwards compatibility child-src will still be enforced for: > * workers (if worker-src is not explicitly specified) > But the spec says the fallback is script-src. Surely anyone who uses child-src will also have a script-src so how is this going to work? How does Chrome work? Filed https://github.com/w3c/webappsec-csp/issues/239 to remove the worker mentions from child-src since the rest of the spec (including the algorithm in that section) implies that's incorrect. -Dan Veditz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
