- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 16 May 2013 18:35:56 +0100
- To: Alex Russell <slightlyoff@google.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, Ian Hickson <ian@hixie.ch>, WebAppSec WG <public-webappsec@w3.org>
On Thu, May 16, 2013 at 6:29 PM, Alex Russell <slightlyoff@google.com> wrote: > I don't think this makes sense. The worker has permissions to do things > which hosting documents (of which there must be at least one) can do, and > that means that if I host a worker from a doucment, it should apply the same > policy as the document that begat it. We will have workers, such as controllers and probably event workers long term, that will run when there are no documents around. > This is why I've been advocating the splitting when policies differ. That turns the basic guarantee of origin + shared name into origin + shared name + CSP of which CSP can be outside the control of the person writing the scripts. That seems like a bad idea. -- http://annevankesteren.nl/
Received on Thursday, 16 May 2013 17:36:23 UTC