- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 21 Jun 2011 15:23:14 -0700
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
That sounds like a good idea. One argument in favor of not lumping workers in with script-src is that workers get their own security context (unlike <script>), so they're more like off-screen iframes in that sense. Adam On Tue, Jun 21, 2011 at 3:13 PM, Brandon Sterne <bsterne@mozilla.com> wrote: > Per previous discussions, I would like to broaden the scope of the > xhr-src directive and rename it to reflect the change. The tentative > proposal for the new directive name is "connect" and it would define the > list of sources that a page can connect to via DOM/JS APIs. To begin > with, this directive would cover: > > - XMLHttpRequest > - WebSocket > - EventSource > > Are there other APIs that belong in this bucket? > > On a related note, Adam has advocated including Worker in this new > category, but I believe we should add Worker under script-src since the > stated purpose of that API is to run script in the background and I > believe this will be "least surprising" to web developers. > > Would people support this change? > > Thanks, > Brandon > >
Received on Tuesday, 21 June 2011 22:24:20 UTC