#310: how to decide if workers are subresources or separate contexts

Visit on Github.

Opened Oct 23, 2018

WebAppSec fielded a question today that has some implications for our broader review: how do eventual URLs get propagated and inherited? Are there principles behind that? Should they be enunciated?

The specific question related to worker contexts which have to resolve URLs based on the parent document. WebAppSec and the CSP spec would like guidance here.

/cc @mikewest

Discussions

Comment by @mikewest Oct 23, 2018 (See Github)

The specific issue we were debating in WebAppSec was whether or not a document's Content Security Policy (and Referrer Policy, et al) should be inherited by a dedicated worker, or whether the dedicated worker ought to be considered a distinct environment entirely with its own policy (which is the model we use for <iframe>, as well as Shared Workers and Service Workers).

Firefox implements the latter model, while Chrome implements the former. This is unfortunate, and we need some help working out the principles at play here.

Comment by @dbaron Sep 10, 2019 (See Github)

We're trying to figure out how relevant this issue still is. @mikewest do you think it is? I suspect that if the TAG needs to do something here, it would be helpful to have some sort of explainer or other written document.

Comment by @annevk Sep 25, 2019 (See Github)

This relates to https://github.com/w3ctag/design-principles/issues/111 and https://github.com/whatwg/html/issues/3270. This was discussed at TPAC of which I wrote a summary at https://github.com/whatwg/html/issues/3270#issuecomment-535062970. I think this can be closed at this point.

Discussed Oct 2, 2019 (See Github)

Peter: David, you're the only one on this issue and it's marked as stalled.

David: Anne thinks it can be closed based on that summary... we should probably read that summary. Closing it is likely to be fine.

Peter: ... design principles

David: I think closing this one in favour of the design principles issue makes sense.

Peter: I'll put a note.

Comment by @plinss Oct 2, 2019 (See Github)

Will close here and follow up in https://github.com/w3ctag/design-principles/issues/111

Comment by @dbaron Oct 2, 2019 (See Github)

We discussed this briefly in today's teleconference and decided that there's probably some documenting of the state of things that should be done, but the open w3ctag/design-principles#111 is a better place to do that than here.