W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Workers and URL origin check

From: Adam Barth <whatwg@adambarth.com>
Date: Thu, 28 May 2009 12:37:40 -0700
Message-ID: <7789133a0905281237t11012dbbv5a601a4db389cb2d@mail.gmail.com>
On Thu, May 28, 2009 at 12:05 PM, Dmitry Titov <dimich at chromium.org> wrote:
> Returning to the the narrower original question, what?should?we do with
> redirects during worker loads?
> - should we abort load if any URL in the redirect chain is from different
> origin?

Yes.

> - should we only abort load if the final URL is from different origin?

No.  This is dangerous.

> - if the same site redirects between schemas (http->https, http->data etc)
> does this abort loading too?

Yes.  These are different origins.

> - which URL is used to compute the script's origin and/or base URL in case
> of redirects?

The final URL, just like for HTML documents.

> The simplest solution is to just abort loading if origin deviates in any
> part from parent context's, and use the final URL to compute origin (should
> be the same) and base URLs.

I agree.

Adam
Received on Thursday, 28 May 2009 12:37:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:49 UTC