W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Proposed change: "xhr-src" to "connect"

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 21 Jun 2011 15:23:14 -0700
Message-ID: <BANLkTimqAQXHid6aPGaxG0ZJpydPQtPqNQ@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
That sounds like a good idea.

One argument in favor of not lumping workers in with script-src is
that workers get their own security context (unlike <script>), so
they're more like off-screen iframes in that sense.

Adam


On Tue, Jun 21, 2011 at 3:13 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> Per previous discussions, I would like to broaden the scope of the
> xhr-src directive and rename it to reflect the change.  The tentative
> proposal for the new directive name is "connect" and it would define the
> list of sources that a page can connect to via DOM/JS APIs.  To begin
> with, this directive would cover:
>
>  - XMLHttpRequest
>  - WebSocket
>  - EventSource
>
> Are there other APIs that belong in this bucket?
>
> On a related note, Adam has advocated including Worker in this new
> category, but I believe we should add Worker under script-src since the
> stated purpose of that API is to run script in the background and I
> believe this will be "least surprising" to web developers.
>
> Would people support this change?
>
> Thanks,
> Brandon
>
>
Received on Tuesday, 21 June 2011 22:24:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC