W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Workers and URL origin check

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 28 May 2009 01:11:21 -0700
Message-ID: <63df84f0905280111h1d608628ne55a2d43c74bf058@mail.gmail.com>
On Wed, May 27, 2009 at 6:15 PM, Drew Wilson <atwilson at google.com> wrote:
> Along the same lines, I'm wondering why we require a same-domain check for
> initial worker URLs, but not for script imported via importScripts().

This is because workers run in a security context of the initial
worker URL. So this is the origin that is used for security checks
whenever the worker does something, like load data using
XMLHttpRequest.

importScripts() however behave more like <script> in that they run the
loaded script in the security context of the worked that loaded them.

> Seems
> like we ought to have workers inherit the origin of the script context that
> invoked the Worker constructor, but allow the script URL passed to the
> constructor to point at any domain.

That would be another solution to this problem, however some people
preferred the solution that is currently in the spec.

/ Jonas
Received on Thursday, 28 May 2009 01:11:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:49 UTC