On Wed, Apr 20, 2011 at 12:54 PM, Tab Atkins Jr. <jackalmage@gmail.com>wrote:
>
> Please correct me if I'm missing something, but I don't see any new
> privacy-leak vectors here. Without Shared Workers, 3rdparty.com can
> just hold open a communication channel to its server and shuttle
> information between the iframes on A.com and B.com that way.
Agreed. Even in the absence of a server, wouldn't those iframes also be able
to communicate via cookies, or localStorage, or any other common data shared
across the domain? I'd be curious about what specific privacy violations
this enables that couldn't already be done in other ways that IE9 does
support?
Also, the PDF you link to describes a DoNotTrack HTTP header/DOM attribute
and a filter list for preventing network access to specific domains - I'm
not certain how either of those pertain to this issue (other than the fact
that said filter lists would equally apply to network connections used from
worker context). Can you provide some clarification of your concerns?