- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 26 Jul 2011 15:25:16 -0400
- To: WebApps WG <public-webapps@w3.org>, travil@microsoft.com
- Cc: Thomas Roessler <tlr@w3.org>, Lieven Desmet <lieven.desmet@cs.kuleuven.be>, public-web-security <public-web-security@w3.org>
Travis, I suspect you mean second-level domain (microsoft.com, w3.org) instead of top-level domain (.com, .net, .org). Further, I'll observe that consistency with other, similar security policies would be valuable instead of introducing yet another privacy policy. Adding public-web-security to the CC list. Regards, -- Thomas Roessler, W3C <tlr@w3.org> (@roessler) On Jul 26, 2011, at 15:18 , bugzilla@jessica.w3.org wrote: > http://www.w3.org/Bugs/Public/show_bug.cgi?id=13373 > > Summary: Privacy: Limit SharedWorker connections to same > top-level domain > Product: WebAppsWG > Version: unspecified > Platform: PC > OS/Version: Windows NT > Status: NEW > Severity: normal > Priority: P2 > Component: Web Workers (editor: Ian Hickson) > AssignedTo: ian@hixie.ch > ReportedBy: travil@microsoft.com > QAContact: member-webapi-cvs@w3.org > CC: mike@w3.org, public-webapps@w3.org > > > Per privacy discussion [1], Shared Workers should have a privacy clause > allowing UA's to prevent SharedWorkers from connecting when they detect that a > user's privacy could be at risk. > > It is recommended that in addition to the existing checks (steps 7.5, 7.6, > 7.7.1) for making a connection to a SharedWorker [2], another check should be > added that compares the top-level domain of the candiate shared worker global > scope's owning document(s) to the top-level document of the script that invoked > the constructor. If they are the same, then the connection is allowed to > proceed; otherwise, a new SharedWorkerGlobalScope should be created. > > This addition privacy clause would allow connections for iframes of the same > domain within a top-level document: > > Top Level Window - http://a.com > Iframe_one - http://b.com > iframe_two - http://b.com > > Iframe_one and iframe_two would be allowed to connect... but would disallow > connections for a different top-level document: > > Top Level Window - http://c.com > iframe_three - http://b.com > > iframe_three would get a unique shared worker, separate from the one shared by > iframe_one & iframe_two. > > [1] http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/0293.html > [2] http://dev.w3.org/html5/workers/#sharedworker > > -- > Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email > ------- You are receiving this mail because: ------- > You are on the CC list for the bug. > >
Received on Tuesday, 26 July 2011 19:25:20 UTC