W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: ACTION-146, propose spec text for Workers

From: Garrett Robinson <grobinson@mozilla.com>
Date: Mon, 25 Nov 2013 10:55:10 -0500
Message-ID: <529372DE.90301@mozilla.com>
To: Anne van Kesteren <annevk@annevk.nl>
CC: WebAppSec WG <public-webappsec@w3.org>
On 11/25/2013 06:29 AM, Anne van Kesteren wrote:
> On Sat, Nov 23, 2013 at 12:02 AM, Garrett Robinson
> <grobinson@mozilla.com> wrote:
>> * Workers can link to resources with any mimetype. Iframes can just
>> link to resources explicitly served as text/html.
> 
> <iframe> can load much more resource types. But text/html and XML MIME
> types are the only ones that can also execute script.
> 
> 
>> * Workers are always same-origin. Iframes can be any origin.
>> * While workers can't directly read content from the webpage, they can
>> perform XHR requests to the server, read locally stored data
>> (including cookies and IDB in the future) and probably in the future
>> take actions like access geolocation API using the principal of the
>> opening page.
> 
> An <iframe> loaded resource can do the same, no?

Only if it is same origin. If your argument is that Workers and
same-origin iframes have a similar attack model, I would agree - but
we're talking about controlling Workers with the same directive as
iframes, which can also be cross-origin. This is at best confusing:

frame-src 'self' trusted.foo.com

We can load iframes from same origin and trusted.foo.com, but Workers
only from same origin. Additionally, Workers can be loaded from a data
URI. This makes me wonder - how does frame-src interact with iframes
created from data: URIs?
Received on Monday, 25 November 2013 15:55:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC