On 22 June 2011 01:42, Brandon Sterne <bsterne@mozilla.com> wrote: > Although Worker scripts are restricted to same-origin as the invoking > page, they can load arbitrary additional scripts from any origin using > the importScripts API. In this sense, they are very similar to <script> > elements. Yes, they execute in a different context than the parent > document, but sites will still want to have control over where those > scripts can be pulled in from. This is another reason to lump them in > with script-src, IMO. > I agree with the proposal and could I suggest a options directive which allows/disallows cookies. This would allow the site to stop XHR or workers from retrieving pages as the currently logged on user. It would also enable workers to be used safely in a sandbox context.
Received on Wednesday, 22 June 2011 08:00:07 UTC