W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Proposed change: "xhr-src" to "connect"

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 23 Jun 2011 17:08:59 -0700
Message-ID: <4E03D59B.1000805@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 06/22/2011 12:59 AM, gaz Heyes wrote:
> On 22 June 2011 01:42, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
>     Although Worker scripts are restricted to same-origin as the invoking
>     page, they can load arbitrary additional scripts from any origin using
>     the importScripts API.  In this sense, they are very similar to <script>
>     elements.  Yes, they execute in a different context than the parent
>     document, but sites will still want to have control over where those
>     scripts can be pulled in from.  This is another reason to lump them in
>     with script-src, IMO.
> I agree with the proposal and could I suggest a options directive which
> allows/disallows cookies. This would allow the site to stop XHR or
> workers from retrieving pages as the currently logged on user. It would
> also enable workers to be used safely in a sandbox context.

Can you elaborate on the use case a bit more?  Do HttpOnly cookies for
your session tokens not meet your requirements?  I would prefer to avoid
duplicating functionality if possible.

Received on Friday, 24 June 2011 00:09:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC