Re: Reminder: RfC: Last Call Working Draft of Web Workers; deadline April 21

On Wed, Apr 20, 2011 at 5:58 PM, Andrew Wilson <atwilson@google.com> wrote:
> On Wed, Apr 20, 2011 at 4:05 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> That's why we're working on trying to fix fingerprinting.
>>
>> The point is that privacy is something that we're all working on
>> trying to improve (right?), and the WebWorkers spec needs to be
>> changed to aid with that. As far as I can see all that's needed is to
>> say that a UA is allowed to not share a worker, and ideally point out
>> that such sharing could be disabled when the frame-parent chain
>> contains cross origin iframes.
>
> Thanks for the clarification, Jonas. So I'm concerned that a blanket
> prohibition would break legitimate use cases (iframe-based widgets on a page
> communicating with one another). Let's say we have the following:
> Top Level Window - http://a.com
>     Iframe_one - http://b.com
>     iframe_two - http://b.com
> Top Level Window - http://c.com
>     iframe_three - http://b.com
> If iframe_one, two, and three all create the same shared worker, would any
> sharing be allowed in the situation you propose? I would at least want
> iframe_one and iframe_two to end up referencing a common instance, even if
> privacy policy caused iframe_three to get a separate instance because the
> top-level window was pointed at c.com instead of a.com.
> This seems reasonable to me - I suspect that's what you (and Travis) were
> suggesting, but I wasn't positive.

Yes, on the surface it seems to me that this would be ok. Though given
that it's a more complex solution than a simple blanket prohibition
any time cross-site frames are involved, it's possible that I'm
missing some privacy leak vector.

/ Jonas

Received on Thursday, 21 April 2011 01:55:59 UTC