Re: Proposed change: "xhr-src" to "connect"

On 06/22/2011 12:59 AM, gaz Heyes wrote:
> On 22 June 2011 01:42, Brandon Sterne <
> <>> wrote:
>     Although Worker scripts are restricted to same-origin as the invoking
>     page, they can load arbitrary additional scripts from any origin using
>     the importScripts API.  In this sense, they are very similar to <script>
>     elements.  Yes, they execute in a different context than the parent
>     document, but sites will still want to have control over where those
>     scripts can be pulled in from.  This is another reason to lump them in
>     with script-src, IMO.
> I agree with the proposal and could I suggest a options directive which
> allows/disallows cookies. This would allow the site to stop XHR or
> workers from retrieving pages as the currently logged on user. It would
> also enable workers to be used safely in a sandbox context.

Can you elaborate on the use case a bit more?  Do HttpOnly cookies for
your session tokens not meet your requirements?  I would prefer to avoid
duplicating functionality if possible.


Received on Friday, 24 June 2011 00:09:28 UTC