Clarification of application of same origin policy for data:/javascript: URIs in Web Workers requested from nemo@m8y.org on 2009-09-10 (public-html@w3.org from September 2009)

From: <nemo@m8y.org>
Date: Thu, 10 Sep 2009 16:30:07 -0400 (EDT)
To: whatwg@whatwg.org, public-html@w3.org
Message-ID: <alpine.LNX.2.00.0909101618330.9111@nautilus.m8y.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reading the current Draft Recommendation - 10 September 2009 it isn't clear to me what the rule should be for:
var myWorker = new Worker('data:application/ecmascript,postMessage(%22hi%22)');

or

var myWorker = new Worker('javascript:postMessage("hi")');


Which currently appear to be the only ways to dynamically create a worker.
At present Safari 4 and Firefox 3.5 throw security exceptions.

However, it isn't really clear to me that that should necessarily be the case.
http://www.w3.org/TR/2008/WD-html5-20080610/web-browsers.html#origin

Seems to suggest that for scripts with javascript: URIs the origin is normally considered the same as that of the owner, shouldn't it be the same for workers?

- -- 
- ----------------------------------------
Free Mickey!
http://randomfoo.net/oscon/2002/lessig/
http://www.law.duke.edu/cspd/comics/zoomcomic.html
My key: http://m8y.org/keys.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkqpYc8ACgkQpnvK0CrWnLd9DQCcCDfhSFUwswxw4/SU9jyHTSvC
y0UAn2KKkRdyYtj6ZxLl40dEqFnVeipb
=5Si/
-----END PGP SIGNATURE-----

Received on Friday, 11 September 2009 12:45:36 UTC