Dedicated workers should be governed by the Content Security Policy delivered in their script response headers. Chrome incorrectly used to instead apply the Content Security Policy of the owner document. We would like to change chrome's behaviour to adhere to what is specified.

Motivation

This is sort of a bugfix. We'd like to change chrome's behaviour to adhere to what was agreed on the specification and what other vendors (Firefox mainly) already implement.

Specification

Specification link


Final published standard: Recommendation, Living Standard, Candidate Recommendation, or similar final form

Status in Chromium

Blink>SecurityFeature>ContentSecurityPolicy


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • N/A
  • Positive

Owner

Last updated on 2021-11-03