[Bug 13373] New: Privacy: Limit SharedWorker connections to same top-level domain


           Summary: Privacy: Limit SharedWorker connections to same
                    top-level domain
           Product: WebAppsWG
           Version: unspecified
          Platform: PC
        OS/Version: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Workers (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: travil@microsoft.com
         QAContact: member-webapi-cvs@w3.org
                CC: mike@w3.org, public-webapps@w3.org

Per privacy discussion [1], Shared Workers should have a privacy clause
allowing UA's to prevent SharedWorkers from connecting when they detect that a
user's privacy could be at risk.

It is recommended that in addition to the existing checks (steps 7.5, 7.6,
7.7.1) for making a connection to a SharedWorker [2], another check should be
added that compares the top-level domain of the candiate shared worker global
scope's owning document(s) to the top-level document of the script that invoked
the constructor. If they are the same, then the connection is allowed to
proceed; otherwise, a new SharedWorkerGlobalScope should be created.

This addition privacy clause would allow connections for iframes of the same
domain within a top-level document:

Top Level Window - http://a.com
     Iframe_one - http://b.com
     iframe_two - http://b.com

Iframe_one and iframe_two would be allowed to connect... but would disallow
connections for a different top-level document:

Top Level Window - http://c.com
     iframe_three - http://b.com

iframe_three would get a unique shared worker, separate from the one shared by
iframe_one & iframe_two.

[1] http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/0293.html
[2] http://dev.w3.org/html5/workers/#sharedworker

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Tuesday, 26 July 2011 19:18:10 UTC