- From: Aron Nyborg Allen <notifications@github.com>
- Date: Thu, 02 Feb 2017 01:43:18 -0800
- To: w3c/IndexedDB <IndexedDB@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 2 February 2017 09:43:53 UTC
We are using Web Workers as a way to run 3rd-party code through established protocols, the code is not completely untrusted, but we are trying to constrain the Web Workers as much as possible. With Web Workers our platform developers can write small applets without ever accessing the real DOM, and without the same performance bottlenecks as iframes. We are using Content-Security-Policy to limit what Web Workers can load and access. Unfortunately there is no way to limit access to IndexedDB, while there are good use-cases to share data between the main thread and Workers with IndexedDB, there may be applications where sharing such data could be a security risk, such as ours. We believe there should be a way to limit IndexedDB access for Web Workers, perhaps through Content-Security-Policy, so they cannot open the same databases. Since IndexedDB is still not widely adopted we are not relying on it for our application. In the future IndexedDB could be useful if we could manage security for Web Worker scripts. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/IndexedDB/issues/141
Received on Thursday, 2 February 2017 09:43:53 UTC