Re: IE - Security error with new Worker(URL.createObjectURL(new Blob([workerjs],{type:'text/javascript'}))) from Glenn Maynard on 2014-06-06 (public-webapps@w3.org from April to June 2014)

From: Glenn Maynard <glenn@zewt.org>
Date: Fri, 6 Jun 2014 13:21:32 -0600
To: Travis Leithead <travis.leithead@microsoft.com>
Cc: Aymeric Vitte <vitteaymeric@gmail.com>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>
Message-ID: <CABirCh-hUh4_A+UV6pndL71yLAEwfO_AxzYGWzHgKukd4QnE7Q@mail.gmail.com>

On Fri, Jun 6, 2014 at 11:42 AM, Travis Leithead <
travis.leithead@microsoft.com> wrote:

> Well, in IE's defense, this is not specifically allowed by:
> http://www.w3.org/TR/workers/#dom-worker. Regardless, the product team is
> working to fix this so that it works in IE as well. Stay tuned. I updated
> the Connect bug below.
>

(That link is very out of date and hard to read.  Corrected link:
http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html#dom-worker
)

The algorithm described by the spec does allow blob URLs, just like any
other URL, as long as the origin is the same.  There's a non-normative note
in the spec that makes this extra clear, but IE11 may predate it: "For
example, scripts can be external files with the same scheme, host, and port
as the original page, or data: URLs, or same-origin blob: URLs."

One potentially ambiguous part is that the origin of blob URLs isn't
defined clearly yet.  This is being worked on.

That said, IE11 isn't strictly out of spec, because the first step of the
algorithm allows browsers to refuse to load web workers for UA-defined
policy reasons: "1. The user agent may throw a SecurityError exception and
abort these steps if the request violates a policy decision."  However,
having a policy of not allowing workers to be loaded from blob URLs will
probably break pages that work in other browsers.

-- 
Glenn Maynard

Received on Friday, 6 June 2014 19:22:00 UTC