Content-Security-Policy delivery via response headers for dedicated workers.

Category: Security
Type: No developer-visible change
Status: Enabled by default (Chrome 97)
Intent stage: Shipped

Summary

Dedicated workers should be governed by the Content Security Policy delivered in their script response headers. Chrome incorrectly used to instead apply the Content Security Policy of the owner document. We would like to change chrome's behaviour to adhere to what is specified.

Motivation

This is sort of a bugfix. We'd like to change chrome's behaviour to adhere to what was agreed on the specification and what other vendors (Firefox mainly) already implement.

Standards & signals

Specification: https://html.spec.whatwg.org/#initialize-worker-policy-container
Firefox: Shipped/Shipping — See also the discussion on the issue https://github.com/w3c/webappsec-csp/issues/336
Safari: N/A
Web developers: Positive — This has been reported as a bug to chrome.
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1253267

View on chromestatus.com