Process Re: Worker Threads and Site Security Policy

CC trimmed a bit for people I know are in the list without looking. Sadly  
Microsoft still haven't got around to joining, so it falls on Chris to  
pass this on until they get to do the legal work.

NB: The chairs are actually Art and I - Doug and Mike are the staff  

On Wed, 25 Jun 2008 22:48:04 +0200, Arun Ranganathan <>  

> Maciej,
>>> 1. Worker Threads in Script.
>> Apple is interested in a worker API. The key issues for workers, in my  
>> opinion, are security, messaging, and which of the normal APIs are  
>> available. Right now, these things are covered in HTML5, so I think  
>> that may be a better place to add a Worker API.

> Fair observation.  I'll wait to hear from other parties (particularly  
> the other user-agent companies) about where this ought to live.  I note  
> from a previous thread[1] that the presumption of a dependency on HTML5  
> has proven problematic to other WGs, which could sell your point about  
> moving this to HTML5.  My preference is to have it here since it is a  
> Web API and thus should be treated as a modular piece of the ecosystem.

I note that in the geolocation discussion Ian has been quite vocal about  
this being the home for APIs, but in respect to the Window spec he has  
simply taken it into HTML5, although that won't be stable for many years  
according to him. So clearly the question of where things live is not  
always one with an obvious answer.

In this group there are a couple of requirements. The first is that we  
have to have resources - and that includes not just people interested, but  
people who will do the work of editing (which is where Window, among  
others, have met problems - editors who take on work and don't do it leave  
us in a tricky position). The other is that our charter states that we  
will explicitly ask the AC about taking on new deliverables - something  
that in my opinion makes good sense, given that we have noted that we  
expect this space to be dynamic so this porcess is expected. We don't  
know, of course, what that process is, but I guess we could find out  
sooner rather than later.

>>> 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site  
>>> Request Forgery) Vulnerabilities
> Going forward, it might be wise to snap these two out of one email  
> thread, but I'll wait on responses.

Yeah, I think that would be a good move.



Charles McCathieNevile  Opera Software, Standards Group
     je parle français -- hablo español -- jeg lærer norsk   Try Opera 9.5:

Received on Wednesday, 25 June 2008 21:56:57 UTC