Is inheritance of 'self' to local-scheme appropriate?

[shhnjk]

We discussed that 'self' inherited to local-scheme (e.g. data URL) should be treated as local-scheme itself.

But this means that if website https://A.com wants to load data: frames and wishes to load resources inside data: frames from itself, then they need to give up with default-src 'self' and they should add default-src https://A.com.

Is this how website should implement CSP? Seems complicated.

[ckerschb]

The other use case to consider is. What about a data: URI iframe that ships a meta CSP using 'self'? Unique origins don't even match itself, hence 'self' does not make any sense in that scenario.

[annevk]

(A unique origin does match itself, but you cannot compute the same unique origin twice from a single data URL.)