Worker Threads and Site Security Policy | Two Possible New Items for Standardization from Arun Ranganathan on 2008-06-25 (public-webapps@w3.org from April to June 2008)

From: Arun Ranganathan <arun@mozilla.com>
Date: Wed, 25 Jun 2008 13:09:43 -0700
To: Ian Hickson <ian@hixie.ch>, aa@google.com, Ben Turner <bturner@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Jonas Sicking <sicking@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, chaals@opera.com, mjs@apple.com, chris.wilson@microsoft.com, public-webapps@w3.org, schepers@w3.org, tlr@w3.org, dveditz@mozilla.com
Message-ID: <4862A607.1030400@mozilla.com>

Doug Schepers, Charles McCathieNevile (Chairs), Members of the WG,

On behalf of Mozilla, I'd like to introduce the possibility of two new 
work items for this group to consider.  Neither of these is presented as 
a fait accompli, although we would like to consider both of these for 
inclusion in Firefox 3.Next if that is possible.

1. Worker Threads in Script.  The idea is to offer developers the 
ability to spawn threads from within web content, as well as 
cross-thread communication mechanisms such as postMessage.  Mozilla 
presents preliminary thought on the subject [1], and notes similar straw 
persons proposed by WHATWG [2] and by Google Gears [3].  Also for 
reference see worker threads in C# [4].  The Web Apps working group 
seems like a logical home for this work.  Will other members of the WG 
engage with Mozilla on this, via additional work items covered by the 
charter of this WG?

2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site Request 
Forgery) Vulnerabilities.  The idea is to provide a mechanism (possibly 
via HTTP headers, but not necessarily limited to HTTP headers) to 
stipulate a *strict* mode for script inclusion via "script src=" and 
prevention of inline scripts altogether.  See Site Security Policy 
[5].   We encourage discussion about this topic via email.  Will other 
members of the WG engage with Mozilla on this, via additional work items 
covered by the charter of this WG?

-- A*

[1] http://wiki.mozilla.org/DOMWorkerThreads
[2]  http://hixie.ch/specs/dom/workers/0.9
[3] http://code.google.com/apis/gears/api_workerpool.html
[4] http://msdn.microsoft.com/en-us/library/5xt1dysy.aspx
[5] http://people.mozilla.com/~bsterne/site-security-policy/

Received on Wednesday, 25 June 2008 20:10:26 UTC