- From: <bugzilla@jessica.w3.org>
- Date: Tue, 26 Jul 2011 19:18:05 +0000
- To: public-webapps@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13373 Summary: Privacy: Limit SharedWorker connections to same top-level domain Product: WebAppsWG Version: unspecified Platform: PC OS/Version: Windows NT Status: NEW Severity: normal Priority: P2 Component: Web Workers (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: travil@microsoft.com QAContact: member-webapi-cvs@w3.org CC: mike@w3.org, public-webapps@w3.org Per privacy discussion [1], Shared Workers should have a privacy clause allowing UA's to prevent SharedWorkers from connecting when they detect that a user's privacy could be at risk. It is recommended that in addition to the existing checks (steps 7.5, 7.6, 7.7.1) for making a connection to a SharedWorker [2], another check should be added that compares the top-level domain of the candiate shared worker global scope's owning document(s) to the top-level document of the script that invoked the constructor. If they are the same, then the connection is allowed to proceed; otherwise, a new SharedWorkerGlobalScope should be created. This addition privacy clause would allow connections for iframes of the same domain within a top-level document: Top Level Window - http://a.com Iframe_one - http://b.com iframe_two - http://b.com Iframe_one and iframe_two would be allowed to connect... but would disallow connections for a different top-level document: Top Level Window - http://c.com iframe_three - http://b.com iframe_three would get a unique shared worker, separate from the one shared by iframe_one & iframe_two. [1] http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/0293.html [2] http://dev.w3.org/html5/workers/#sharedworker -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Tuesday, 26 July 2011 19:18:10 UTC