Re: ACTION-146, propose spec text for Workers

On 11/25/2013 06:29 AM, Anne van Kesteren wrote:
> On Sat, Nov 23, 2013 at 12:02 AM, Garrett Robinson
> <> wrote:
>> * Workers can link to resources with any mimetype. Iframes can just
>> link to resources explicitly served as text/html.
> <iframe> can load much more resource types. But text/html and XML MIME
> types are the only ones that can also execute script.
>> * Workers are always same-origin. Iframes can be any origin.
>> * While workers can't directly read content from the webpage, they can
>> perform XHR requests to the server, read locally stored data
>> (including cookies and IDB in the future) and probably in the future
>> take actions like access geolocation API using the principal of the
>> opening page.
> An <iframe> loaded resource can do the same, no?

Only if it is same origin. If your argument is that Workers and
same-origin iframes have a similar attack model, I would agree - but
we're talking about controlling Workers with the same directive as
iframes, which can also be cross-origin. This is at best confusing:

frame-src 'self'

We can load iframes from same origin and, but Workers
only from same origin. Additionally, Workers can be loaded from a data
URI. This makes me wonder - how does frame-src interact with iframes
created from data: URIs?

Received on Monday, 25 November 2013 15:55:42 UTC