> On Sep 22, 2017, at 10:27 PM, Daniel Veditz <dved...@mozilla.com> wrote: > Christoph said > For backwards compatibility child-src will still be enforced for: > * workers (if worker-src is not explicitly specified) > > But the spec says the fallback is script-src. Surely anyone who uses > child-src will also have a script-src so how is this going to work? How does > Chrome work?
It’s too confusing, but that’s why I initially filed https://github.com/w3c/webappsec-csp/issues/238 <https://github.com/w3c/webappsec-csp/issues/238>, because the spec still mentioned that child-src will govern workers in the absence of worker-src. > > Filed https://github.com/w3c/webappsec-csp/issues/239 > <https://github.com/w3c/webappsec-csp/issues/239> to remove the worker > mentions from child-src since the rest of the spec (including the algorithm > in that section) implies that's incorrect. Ultimately I agree with your comment in issue 238. Probably the fallback should be, worker-src, child-src, and then script-src, default-src. Either way, I think we can find a solution within issue 239, thanks for filing. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
