We've settled on a 'worker-src' model. Closing w3c/webappsec-csp#146.

index.html

@@ -1176,7 +1176,7 @@
 		}
 	}
 </style>
-  <meta content="Bikeshed version 7e43b56c4e1ede2eed18417e4d8def49e6eb4bd8" name="generator">
+  <meta content="Bikeshed version a65093ce3e69a8d01029b4650499d152cd9bd39a" name="generator">
 <style>
   ul.toc ul ul ul {
     margin: 0 0 0 2em;
@@ -1453,7 +1453,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
    <h1>Content Security Policy Level 3</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2017-03-08">8 March 2017</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2017-03-17">17 March 2017</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -1885,7 +1885,6 @@ <h3 class="heading settled" data-level="1.3" id="changes-from-level-2"><span cla
        <li data-md="">
         <p>Dedicated workers now always inherit their creator’s policy.</p>
       </ol>
-      <p class="issue" id="issue-f16cc5a8"><a class="self-link" href="#issue-f16cc5a8"></a> This still might not be the right model. <a href="https://github.com/w3c/webappsec-csp/issues/146">&lt;https://github.com/w3c/webappsec-csp/issues/146></a></p>
      <li data-md="">
       <p>The URL matching algorithm now treats insecure schemes and ports as
   matching their secure variants. That is, the source expression <code>http://example.com:80</code> will match both <code>http://example.com:80</code> and <code>https://example.com:443</code>.</p>
@@ -5703,7 +5702,6 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
 </pre>
   <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
   <div style="counter-reset:issue">
-   <div class="issue"> This still might not be the right model. <a href="https://github.com/w3c/webappsec-csp/issues/146">&lt;https://github.com/w3c/webappsec-csp/issues/146></a><a href="#issue-f16cc5a8"> ↵ </a></div>
    <div class="issue"> <code>unsafe-hashed-attributes</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/13">&lt;https://github.com/w3c/webappsec-csp/issues/13></a><a href="#issue-2f321613"> ↵ </a></div>
    <div class="issue"> <code>'report-sample'</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/119">&lt;https://github.com/w3c/webappsec-csp/issues/119></a><a href="#issue-063d72f2"> ↵ </a></div>
    <div class="issue"> Is this kind of thing specified anywhere? I didn’t see anything

index.src.html

@@ -304,8 +304,6 @@ <h3 id="changes-from-level-2">Changes from Level 2</h3>
 
       4. Dedicated workers now always inherit their creator's policy.
 
-      ISSUE(w3c/webappsec-csp#146): This still might not be the right model.
-
   3.  The URL matching algorithm now treats insecure schemes and ports as
       matching their secure variants. That is, the source expression
       `http://example.com:80` will match both `http://example.com:80` and