W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: Reminder: RfC: Last Call Working Draft of Web Workers; deadline April 21

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 20 Apr 2011 18:55:02 -0700
Message-ID: <BANLkTimNsdHBQgJPrL5U2vS9h0-R1ai7rA@mail.gmail.com>
To: Andrew Wilson <atwilson@google.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Travis Leithead <Travis.Leithead@microsoft.com>, Arthur Barstow <art.barstow@nokia.com>, "public-webapps-request@w3.org" <public-webapps-request@w3.org>, Adrian Bateman <adrianba@microsoft.com>, public-webapps <public-webapps@w3.org>
On Wed, Apr 20, 2011 at 5:58 PM, Andrew Wilson <atwilson@google.com> wrote:
> On Wed, Apr 20, 2011 at 4:05 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> That's why we're working on trying to fix fingerprinting.
>> The point is that privacy is something that we're all working on
>> trying to improve (right?), and the WebWorkers spec needs to be
>> changed to aid with that. As far as I can see all that's needed is to
>> say that a UA is allowed to not share a worker, and ideally point out
>> that such sharing could be disabled when the frame-parent chain
>> contains cross origin iframes.
> Thanks for the clarification, Jonas. So I'm concerned that a blanket
> prohibition would break legitimate use cases (iframe-based widgets on a page
> communicating with one another). Let's say we have the following:
> Top Level Window - http://a.com
>     Iframe_one - http://b.com
>     iframe_two - http://b.com
> Top Level Window - http://c.com
>     iframe_three - http://b.com
> If iframe_one, two, and three all create the same shared worker, would any
> sharing be allowed in the situation you propose? I would at least want
> iframe_one and iframe_two to end up referencing a common instance, even if
> privacy policy caused iframe_three to get a separate instance because the
> top-level window was pointed at c.com instead of a.com.
> This seems reasonable to me - I suspect that's what you (and Travis) were
> suggesting, but I wasn't positive.

Yes, on the surface it seems to me that this would be ok. Though given
that it's a more complex solution than a simple blanket prohibition
any time cross-site frames are involved, it's possible that I'm
missing some privacy leak vector.

/ Jonas
Received on Thursday, 21 April 2011 01:55:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:31 UTC