Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization from Maciej Stachowiak on 2008-06-25 (public-webapps@w3.org from April to June 2008)

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 25 Jun 2008 13:29:38 -0700
To: arun@mozilla.com
Cc: Ian Hickson <ian@hixie.ch>, aa@google.com, Ben Turner <bturner@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Jonas Sicking <sicking@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, chaals@opera.com, chris.wilson@microsoft.com, public-webapps@w3.org, schepers@w3.org, tlr@w3.org, dveditz@mozilla.com
Message-Id: <ED141346-8F98-41C7-9EF5-E9940E2351DF@apple.com>

On Jun 25, 2008, at 1:09 PM, Arun Ranganathan wrote:

> Doug Schepers, Charles McCathieNevile (Chairs), Members of the WG,
>
> On behalf of Mozilla, I'd like to introduce the possibility of two  
> new work items for this group to consider.  Neither of these is  
> presented as a fait accompli, although we would like to consider  
> both of these for inclusion in Firefox 3.Next if that is possible.
>
> 1. Worker Threads in Script.  The idea is to offer developers the  
> ability to spawn threads from within web content, as well as cross- 
> thread communication mechanisms such as postMessage.  Mozilla  
> presents preliminary thought on the subject [1], and notes similar  
> straw persons proposed by WHATWG [2] and by Google Gears [3].  Also  
> for reference see worker threads in C# [4].  The Web Apps working  
> group seems like a logical home for this work.  Will other members  
> of the WG engage with Mozilla on this, via additional work items  
> covered by the charter of this WG?

Apple is interested in a worker API. The key issues for workers, in my  
opinion, are security, messaging, and which of the normal APIs are  
available. Right now, these things are covered in HTML5, so I think  
that may be a better place to add a Worker API.

We would certainly like to coordinate our work in this area with the  
proposed APIs cited.

> 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site  
> Request Forgery) Vulnerabilities.  The idea is to provide a  
> mechanism (possibly via HTTP headers, but not necessarily limited to  
> HTTP headers) to stipulate a *strict* mode for script inclusion via  
> "script src=" and prevention of inline scripts altogether.  See Site  
> Security Policy [5].   We encourage discussion about this topic via  
> email.  Will other members of the WG engage with Mozilla on this,  
> via additional work items covered by the charter of this WG?

This one looks complicated and I'll need some time to review to form  
an opinion. Some critical details seem to be missing from the  
proposal, for example, one of the mechanisms calls for a preflight  
policy check request but it is not described how to do this request.

Regards,
Maciej

Received on Wednesday, 25 June 2008 20:30:23 UTC