Re: Proposed change: "xhr-src" to "connect"

That sounds like a good idea.

One argument in favor of not lumping workers in with script-src is
that workers get their own security context (unlike <script>), so
they're more like off-screen iframes in that sense.

Adam


On Tue, Jun 21, 2011 at 3:13 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> Per previous discussions, I would like to broaden the scope of the
> xhr-src directive and rename it to reflect the change.  The tentative
> proposal for the new directive name is "connect" and it would define the
> list of sources that a page can connect to via DOM/JS APIs.  To begin
> with, this directive would cover:
>
>  - XMLHttpRequest
>  - WebSocket
>  - EventSource
>
> Are there other APIs that belong in this bucket?
>
> On a related note, Adam has advocated including Worker in this new
> category, but I believe we should add Worker under script-src since the
> stated purpose of that API is to run script in the background and I
> believe this will be "least surprising" to web developers.
>
> Would people support this change?
>
> Thanks,
> Brandon
>
>

Received on Tuesday, 21 June 2011 22:24:20 UTC