W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2012

Re: [Workers] Worker same-origin and usage in JS libraries...

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 17 Jul 2012 23:05:18 +0000 (UTC)
To: Bronislav Kluńćka <Bronislav.Klucka@bauglir.com>
cc: public-webapps@w3.org
Message-ID: <Pine.LNX.4.64.1207172254110.27616@ps20323.dreamhostps.com>
On Wed, 18 Jul 2012, Bronislav Kluń~Mka wrote:
> 
> Since script is loaded using HTTP, why not use already defined CORS headers on
> server side while serving those scripts?

CORS is the wrong semantic. It's not "origin A is allowed to read content 
from origin B", it's "origin A is allowed to cause origin B to run code", 
which is a very different threat model. It would be quite bad for us to 
say that any file that you can read from another origin, you can cause to 
be executed as script in that origin.


> And if you want it to be defined in JS file itself, I'll suggest "use 
> strict" approach:
> 
> file> ---------------------------------------------------------------
> "Access-Control-Allow-Origin: *";
> (function(){
>     "use strict";
>       var x = 5;
> })();
> ---------------------------------------------------------------<file

Whether it's a string or a comment seems like a detail. If we do do this, 
I expect we'll find something that's somewhat language-agnostic (e.g. 
allowing any leading and trailing punctuation on the first line, or 
something to that effect).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 17 July 2012 23:05:40 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:54 GMT