#310: how to decide if workers are subresources or separate contexts
Discussions
Comment by @mikewest Oct 23, 2018 (See Github)
The specific issue we were debating in WebAppSec was whether or not a document's Content Security Policy (and Referrer Policy, et al) should be inherited by a dedicated worker, or whether the dedicated worker ought to be considered a distinct environment entirely with its own policy (which is the model we use for <iframe>
, as well as Shared Workers and Service Workers).
Firefox implements the latter model, while Chrome implements the former. This is unfortunate, and we need some help working out the principles at play here.
Comment by @dbaron Sep 10, 2019 (See Github)
We're trying to figure out how relevant this issue still is. @mikewest do you think it is? I suspect that if the TAG needs to do something here, it would be helpful to have some sort of explainer or other written document.
Comment by @annevk Sep 25, 2019 (See Github)
This relates to https://github.com/w3ctag/design-principles/issues/111 and https://github.com/whatwg/html/issues/3270. This was discussed at TPAC of which I wrote a summary at https://github.com/whatwg/html/issues/3270#issuecomment-535062970. I think this can be closed at this point.
Discussed
Oct 2, 2019 (See Github)
Peter: David, you're the only one on this issue and it's marked as stalled.
David: Anne thinks it can be closed based on that summary... we should probably read that summary. Closing it is likely to be fine.
Peter: ... design principles
David: I think closing this one in favour of the design principles issue makes sense.
Peter: I'll put a note.
Comment by @plinss Oct 2, 2019 (See Github)
Will close here and follow up in https://github.com/w3ctag/design-principles/issues/111
Comment by @dbaron Oct 2, 2019 (See Github)
We discussed this briefly in today's teleconference and decided that there's probably some documenting of the state of things that should be done, but the open w3ctag/design-principles#111 is a better place to do that than here.
OpenedOct 23, 2018
WebAppSec fielded a question today that has some implications for our broader review: how do eventual URLs get propagated and inherited? Are there principles behind that? Should they be enunciated?
The specific question related to worker contexts which have to resolve URLs based on the parent document. WebAppSec and the CSP spec would like guidance here.
/cc @mikewest