Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization from Arun Ranganathan on 2008-06-25 (public-webapps@w3.org from April to June 2008)

From: Arun Ranganathan <arun@mozilla.com>
Date: Wed, 25 Jun 2008 13:48:04 -0700
To: Maciej Stachowiak <mjs@apple.com>
CC: Ian Hickson <ian@hixie.ch>, aa@google.com, Ben Turner <bturner@mozilla.com>, Johnny Stenback <jst@mozilla.com>, Jonas Sicking <sicking@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>, chaals@opera.com, chris.wilson@microsoft.com, public-webapps@w3.org, schepers@w3.org, tlr@w3.org, dveditz@mozilla.com
Message-ID: <4862AF04.3000304@mozilla.com>

Maciej,

>> 1. Worker Threads in Script.  
>
> Apple is interested in a worker API. The key issues for workers, in my 
> opinion, are security, messaging, and which of the normal APIs are 
> available. Right now, these things are covered in HTML5, so I think 
> that may be a better place to add a Worker API.
>
> We would certainly like to coordinate our work in this area with the 
> proposed APIs cited.
>
Fair observation.  I'll wait to hear from other parties (particularly 
the other user-agent companies) about where this ought to live.  I note 
from a previous thread[1] that the presumption of a dependency on HTML5 
has proven problematic to other WGs, which could sell your point about 
moving this to HTML5.  My preference is to have it here since it is a 
Web API and thus should be treated as a modular piece of the ecosystem.
>> 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site 
>> Request Forgery) Vulnerabilities.  The idea is to provide a mechanism 
>> (possibly via HTTP headers, but not necessarily limited to HTTP 
>> headers) to stipulate a *strict* mode for script inclusion via 
>> "script src=" and prevention of inline scripts altogether.  See Site 
>> Security Policy [5].   We encourage discussion about this topic via 
>> email.  Will other members of the WG engage with Mozilla on this, via 
>> additional work items covered by the charter of this WG?
>
> This one looks complicated and I'll need some time to review to form 
> an opinion. Some critical details seem to be missing from the 
> proposal, for example, one of the mechanisms calls for a preflight 
> policy check request but it is not described how to do this request.
>
Fair observation, though note (as I said before) that this is far from a 
fait accompli.  The "uber idea" is to induce a stricter script 
inclusion/inline script mechanism in user agents.  Should that idea have 
currency with Apple, we'd be very interested in working with you (as we 
are with others) in sorting out the details.

Going forward, it might be wise to snap these two out of one email 
thread, but I'll wait on responses.

-- A*
[1] http://lists.w3.org/Archives/Public/public-webapps/2008AprJun/0413.html

Received on Wednesday, 25 June 2008 20:48:50 UTC