- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Mon, 25 Nov 2013 10:55:10 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: WebAppSec WG <public-webappsec@w3.org>
On 11/25/2013 06:29 AM, Anne van Kesteren wrote: > On Sat, Nov 23, 2013 at 12:02 AM, Garrett Robinson > <grobinson@mozilla.com> wrote: >> * Workers can link to resources with any mimetype. Iframes can just >> link to resources explicitly served as text/html. > > <iframe> can load much more resource types. But text/html and XML MIME > types are the only ones that can also execute script. > > >> * Workers are always same-origin. Iframes can be any origin. >> * While workers can't directly read content from the webpage, they can >> perform XHR requests to the server, read locally stored data >> (including cookies and IDB in the future) and probably in the future >> take actions like access geolocation API using the principal of the >> opening page. > > An <iframe> loaded resource can do the same, no? Only if it is same origin. If your argument is that Workers and same-origin iframes have a similar attack model, I would agree - but we're talking about controlling Workers with the same directive as iframes, which can also be cross-origin. This is at best confusing: frame-src 'self' trusted.foo.com We can load iframes from same origin and trusted.foo.com, but Workers only from same origin. Additionally, Workers can be loaded from a data URI. This makes me wonder - how does frame-src interact with iframes created from data: URIs?
Received on Monday, 25 November 2013 15:55:42 UTC