- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Thu, 23 Jun 2011 17:08:59 -0700
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>
On 06/22/2011 12:59 AM, gaz Heyes wrote: > On 22 June 2011 01:42, Brandon Sterne <bsterne@mozilla.com > <mailto:bsterne@mozilla.com>> wrote: > > Although Worker scripts are restricted to same-origin as the invoking > page, they can load arbitrary additional scripts from any origin using > the importScripts API. In this sense, they are very similar to <script> > elements. Yes, they execute in a different context than the parent > document, but sites will still want to have control over where those > scripts can be pulled in from. This is another reason to lump them in > with script-src, IMO. > > > I agree with the proposal and could I suggest a options directive which > allows/disallows cookies. This would allow the site to stop XHR or > workers from retrieving pages as the currently logged on user. It would > also enable workers to be used safely in a sandbox context. Can you elaborate on the use case a bit more? Do HttpOnly cookies for your session tokens not meet your requirements? I would prefer to avoid duplicating functionality if possible. Thanks, Brandon
Received on Friday, 24 June 2011 00:09:28 UTC