W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: ACTION-146, propose spec text for Workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 19 Nov 2013 10:22:09 +0000
Message-ID: <CADnb78jkvYq=x+e5gusFvus6GuNRBp3K5i3p_zRWT=7S+JV9jg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Nov 19, 2013 at 12:07 AM, Brad Hill <hillbrad@gmail.com> wrote:
> Does anyone know if a SharedWorker can be created with "data:" "javascript:"
> or "blob:"?

Per http://www.whatwg.org/specs/web-apps/current-work/#dom-sharedworker
you can create a worker from a data URL. It's a special exception on
top of the same-origin policy that applies otherwise, meaning that any
other kind of URL won't work.

That also means that if you inherit the policy you have a problem.
(You won't know all parent policies ahead of time.)

As for javascript URLs, they are a special code path in the navigation
algorithm these days. And since only frames and the top-level browsing
context can navigate they're an error of sorts in workers.


-- 
http://annevankesteren.nl/
Received on Tuesday, 19 November 2013 10:22:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC