Edge skips script-src CSP policy for workers

Issue #17415478 • Assigned to Liang Z.

Details

Author
Zach B.
Created
May 7, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
17
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Given a CSP containing “default-src” and “script-src” policies, loading a worker (service worker, etc.) will skip the “script-src” policy and only check against the “default-src” policy.

The spec is unclear on the correct behavior. It doesn’t explicitly list script-src as a fallback for worker-src, but the script-src section mentions workers. MDN lists the fallback as "script-src". Chromium clearly did that intentionally: https://crbug.com/662930. Firefox behaves the same.

Attachments

0 attachments

    Comments and activity

    You need to sign in to your Microsoft account to add a comment.

    Sign in