[whatwg] [Workers] CSP and SharedWorkers

Jake Archibald jaffathecake at gmail.com
Thu Sep 26 07:28:11 PDT 2013

On 26 September 2013 14:57, Jake Archibald <jaffathecake at gmail.com> wrote:

> Note, this only covers registration. If http://example.com allows
> controllers from http://example.co.uk, and successfully calls
> registerServiceWorker("/*", "http://example.co.uk/service.js"), that
> controller will be used for all top-level fetches on http://example.com,
> and all fetches originating from documents on http://example.com,
> regardless of their CSP headers.

Oops, that's misleading, I mean the existing worker will be used for all
fetches even if the CSP rule of the page has changed to disallow
registering of that worker. The CSP of the page will still govern script
loading, XHR etc. If the page's CSP disallows a resource from a particular
URL, it won't consult the worker at all.

If the page requests an allowed url, and the worker serves up a response
(cached or otherwise) from a not-allowed url, CSP should block it.

(apologies for saying "controller" when I mean "service worker")

More information about the whatwg mailing list