W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] AppCache and SharedWorkers?

From: Alexey Proskuryakov <ap@webkit.org>
Date: Thu, 26 Mar 2009 23:19:22 +0300
Message-ID: <047ED187-15B3-4BBF-BF4D-FF51F8543785@webkit.org>

On 26.03.2009, at 19:26, Drew Wilson wrote:

> Letting faceless background processes update themselves without user  
> consent is not necessarily desirable. I think that they need browser  
> UI for this, and/or associated HTML configuration pages that could  
> (among other duties) trigger application cache update.
>
> I'd be curious about why you think this is a problem, especially  
> given the existence of importScripts() and XHR which allow workers  
> to load scripts dynamically anyway.


importScripts() will only allow dynamic loading if any URL prefixes  
are designated as "NETWORK" in the manifest, which security sensitive  
users may potentially detect and block. The level of support for this  
in browsers, firewalls, anti-viruses and other software will obviously  
depend on future usage patterns and threats, but the possibility is  
there.

But I was looking at this in terms of a model for users, not any  
specific security threats - if we think of persistent workers as an  
equivalent of native applications that need installation, then we  
should consider that native applications don't usually update  
themselves without user consent.

- WBR, Alexey Proskuryakov
Received on Thursday, 26 March 2009 13:19:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:49 GMT