W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: ACTION-146, propose spec text for Workers

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 21 Nov 2013 17:11:06 +0000 (UTC)
To: Anne van Kesteren <annevk@annevk.nl>
cc: Daniel Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <alpine.DEB.2.00.1311211709290.27139@ps20323.dreamhostps.com>
On Thu, 21 Nov 2013, Anne van Kesteren wrote:
> On Wed, Nov 20, 2013 at 6:49 PM, Ian Hickson <ian@hixie.ch> wrote:
> > Any URL that has the same origin as the incumbent settings object when 
> > the worker is created should work fine. I don't know what defines the 
> > origin of blob: URLs, but if they're same-origin URLs, they should 
> > work fine, per the worker spec.
> 
> How would you define that? If you compute the origin of a URL, 
> independent of anything else, a blob URL obviously yields a unique 
> identifier.

Why? You can easily define a blob:'s origin as being the origin registered 
for that blob: URL. It's just a lookup. You could even encode the origin 
directly into the URL (either opaquely or not), so that it wouldn't need 
to be expensive to look up.


> We can say that when fetched, a blob URL returns an untainted response 
> (its type is not error), and therefore works.

I don't see any reason to hard-code blob: URLs here.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 21 November 2013 17:11:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC