W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

[Bug 13373] Privacy: Limit SharedWorker connections to same top-level domain

From: <bugzilla@jessica.w3.org>
Date: Mon, 08 Aug 2011 20:23:41 +0000
To: public-webapps@w3.org
Message-Id: <E1QqWMP-0006Mf-JV@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13373

Ian 'Hixie' Hickson <ian@hixie.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |ian@hixie.ch
         Resolution|                            |NEEDSINFO

--- Comment #1 from Ian 'Hixie' Hickson <ian@hixie.ch> 2011-08-08 20:23:40 UTC ---
How would this protect user privacy? What's the expected leak here?

As far as I can tell, SharedWorkers do not introduce a communication channel
that isn't already possible with any number of other features, e.g. IndexDB,
Web Storage, XHR, cookies, fingerprinting, walking Window hierarchies, etc.

In any case, it's up to the UA to define the scope of "user agent" — so long
as two frames aren't in the same unit of related browsing contexts, there's not
much the spec can say that would force the UA to treat the two frames as
related. Just make sure they really are separate and can never communicate, and
you're fine. (Of course, if they can communicate — e.g. by passing ports
along a chain of shared workers and iframes each step of which is allowed, even
thought the first and last participants are blocked from seeing each other
normally — then that's non-conforming.)

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Monday, 8 August 2011 20:23:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:47 GMT