# Contact Emails
# Spec
# Summary
1. It introduces a `worker-src` directive, which governs loading {,Shared,Service}Workers.
2. Workers (and `worker-src`) no longer default to `child-src`, but instead `script-src`.
3. Dedicated workers inherit policy from their creator, and no longer get their own policy distinct from that context.
# Motivation
Currently, we ship `child-src`, which restricts both frames and workers. This seemed like a great idea, but turns out to be both not granular enough for developers, and simply the wrong model. CSP3 deprecates `child-src` by undeprecating `frame-src` (which we've already done) and adding `worker-src`.
# Interop Risk
Folks on the last webappsec call agreed that this was the right way forward. There's still some questions about how and when shared and service workers should inherit policy, so I'm holding off on making changes there, but we had general agreement on dedicated workers. I don't think we'll change our minds again (again).
CCing folks from other browsers who were on the call, along with the change's instigators, just in case I'm misrepresenting the level of agreement.
# Compat Risk
1. `worker-src` is new: CSP implementations ignore directives they don't understand; adding new directives will not break existing sites.
2. The risk here is low:
~0.0012% of page views try to load a worker which `child-src` allows, but `script-src` doesn't. I think we'd be alright just eating that risk, but since we've already jerked developers around on this once (to introduce `child-src`), I'd like to temporarily treat both `script-src` and `child-src` as allowing workers, and introduce a deprecation message that we can disable in a release or three. We will not break existing sites. If the new `worker-src` is present, we'll assume that developers know what they're doing, and treat `child-src` as deprecated for workers.
3. The risk here turns out to be zero, because our implementation is broken. In investigating things, I discovered that we're currently applying _both_ the policy delivered with a dedicated worker _and_ the policy delivered with the page that loaded the worker. *cough* I'll fix that (also, anecdotally, this behavior is what a plurality of developers
in a totally scientific poll already think is happening).
# Technical Constraints
None.
# All Blink Platforms?
Yes.
# OWP Bug
# Chromestatus
# Requesting approval to ship?
Yes.