Steps to reproduce
Given a CSP containing “default-src” and “script-src” policies, loading a worker (service worker, etc.) will skip the “script-src” policy and only check against the “default-src” policy.
The spec is unclear on the correct behavior. It doesn’t explicitly list
script-src as a fallback for
worker-src, but the
script-src section mentions workers. MDN lists the fallback as "script-src". Chromium clearly did that intentionally: https://crbug.com/662930. Firefox behaves the same.
Comments and activity
Actually it sounds like Edge is correct here. https://github.com/w3c/webappsec-csp/issues/299
Actually, Edge is maybe correct per w3c but incorrect per WHATWG. WHATWG seems to have the correct behavior and w3c seems to have old info in their spec. See https://github.com/w3c/webappsec-csp/issues/299#issuecomment-387216954.
- Microsoft Edge Team
Changed Assigned To to “wwatri”
Changed Assigned To from “wwatri” to “Liang Z.”