https://github.com/w3c/webappsec-csp/issues/146 spells out the rationale. The spec's already updated: https://w3c.github.io/webappsec-csp/#directive-child-src Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1320924 WebKit: https://bugs.webkit.org/show_bug.cgi?id=165136
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/611548d6e7771f941d1de55442412ebdffc688c9 commit 611548d6e7771f941d1de55442412ebdffc688c9 Author: Andy Paicu <andypaicu@chromium.org> Date: Mon Jul 09 12:46:46 2018 Un-deprecated 'child-src' 'child-src' is now part of the fallback chain for 'worker-src'. This means that 'child-src' always takes precedence over 'script-src' when checking worker requests. Added extra tests to ensure that a worker request blocked by 'child-src' and allowed by 'script-src' is blocked. Removed previous logic that considered 'script-src' to be the fallback for 'worker-src' and amended tests. Removed "temporary" logic put in place to not break sites using "child-src". Refactored the OperativeDirective logic to ensure that the caller does not need to be aware of precise fallback chain of the directive, otherwise the way to get the 'worker-src' operative directive would be: OperativeDirective(worker_src_.Get(), OperativeDirective(child_src_.Get(), OperativeDirective(script_src_.Get()))); To be submitted with the spec PR as it includes tests. Spec: https://github.com/w3c/webappsec-csp/pull/313 Bug: 669496 Change-Id: I7ca9552df1d0ce203a604b0e469a268f6b112e49 Reviewed-on: https://chromium-review.googlesource.com/1128087 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#573278} [modify] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/dedicated-worker-helper.js [modify] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/service-worker-helper.js [modify] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/shared-worker-helper.js [add] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/worker-src/dedicated-worker-src-child-fallback-blocked.sub.html [add] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/worker-src/service-worker-src-child-fallback-blocked.https.sub.html [add] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/worker-src/shared-worker-src-child-fallback-blocked.sub.html [modify] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/blink/renderer/core/frame/csp/csp_directive_list.cc [modify] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/blink/renderer/core/frame/csp/csp_directive_list.h [modify] https://crrev.com/611548d6e7771f941d1de55442412ebdffc688c9/third_party/blink/renderer/core/frame/csp/csp_directive_list_test.cc
Comment 1 by mkwst@chromium.org
, Nov 29 2016