W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: ACTION-146, propose spec text for Workers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 25 Nov 2013 11:29:26 +0000
Message-ID: <CADnb78jvVGTd+dNijmfQQczKiviK29=ckcE4snCZatXBv2z=eQ@mail.gmail.com>
To: Garrett Robinson <grobinson@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Sat, Nov 23, 2013 at 12:02 AM, Garrett Robinson
<grobinson@mozilla.com> wrote:
> * Workers can link to resources with any mimetype. Iframes can just
> link to resources explicitly served as text/html.

<iframe> can load much more resource types. But text/html and XML MIME
types are the only ones that can also execute script.

> * Workers are always same-origin. Iframes can be any origin.
> * While workers can't directly read content from the webpage, they can
> perform XHR requests to the server, read locally stored data
> (including cookies and IDB in the future) and probably in the future
> take actions like access geolocation API using the principal of the
> opening page.

An <iframe> loaded resource can do the same, no?

Received on Monday, 25 November 2013 11:29:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC