W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Proposed change: "xhr-src" to "connect"

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 21 Jun 2011 17:42:27 -0700
Message-ID: <4E013A73.9050607@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Although Worker scripts are restricted to same-origin as the invoking
page, they can load arbitrary additional scripts from any origin using
the importScripts API.  In this sense, they are very similar to <script>
elements.  Yes, they execute in a different context than the parent
document, but sites will still want to have control over where those
scripts can be pulled in from.  This is another reason to lump them in
with script-src, IMO.

-Brandon


On 6/21/11 3:23 PM, Adam Barth wrote:
> That sounds like a good idea.
> 
> One argument in favor of not lumping workers in with script-src is
> that workers get their own security context (unlike <script>), so
> they're more like off-screen iframes in that sense.
> 
> Adam
> 
> 
> On Tue, Jun 21, 2011 at 3:13 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
>> Per previous discussions, I would like to broaden the scope of the
>> xhr-src directive and rename it to reflect the change.  The tentative
>> proposal for the new directive name is "connect" and it would define the
>> list of sources that a page can connect to via DOM/JS APIs.  To begin
>> with, this directive would cover:
>>
>>  - XMLHttpRequest
>>  - WebSocket
>>  - EventSource
>>
>> Are there other APIs that belong in this bucket?
>>
>> On a related note, Adam has advocated including Worker in this new
>> category, but I believe we should add Worker under script-src since the
>> stated purpose of that API is to run script in the background and I
>> believe this will be "least surprising" to web developers.
>>
>> Would people support this change?
>>
>> Thanks,
>> Brandon
Received on Wednesday, 22 June 2011 00:43:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC