- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 19 Nov 2013 10:22:09 +0000
- To: Brad Hill <hillbrad@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Nov 19, 2013 at 12:07 AM, Brad Hill <hillbrad@gmail.com> wrote: > Does anyone know if a SharedWorker can be created with "data:" "javascript:" > or "blob:"? Per http://www.whatwg.org/specs/web-apps/current-work/#dom-sharedworker you can create a worker from a data URL. It's a special exception on top of the same-origin policy that applies otherwise, meaning that any other kind of URL won't work. That also means that if you inherit the policy you have a problem. (You won't know all parent policies ahead of time.) As for javascript URLs, they are a special code path in the navigation algorithm these days. And since only frames and the top-level browsing context can navigate they're an error of sorts in workers. -- http://annevankesteren.nl/
Received on Tuesday, 19 November 2013 10:22:36 UTC