- From: Dmitry Titov <dimich@google.com>
- Date: Thu, 10 Dec 2009 14:12:10 -0800
On Thu, Dec 10, 2009 at 1:36 PM, Oliver Hunt <oliver at apple.com> wrote: > > Additionally there's the question of origin tainting -- is it possible to > taint the origin in a worker? you don;t have image elements, you can't xhr > unsafely to other origins, but maybe i'm missing something? > Is origin tainting relevant here because we want to make sure the image being processed before upload does not get sent to malicious site by the compromised worker script? It seems UA should taint the connected documents once worker gets tainted. There is importScript that can go cross-origin, just like <script> tag. Going to http or different origin should trigger 'mixed content' indication in UA for all pages connected to worker. XHR is SOP but there are bad SSL certs. Normally the workers XHR would silently fail if received a bad SSL cert response, but if the user previously replied "trust the site anyways" on the scary dialog while visiting the site, I think the access from worker then goes through with bad cert, since user already 'approved' it for the whole origin. Dmitry -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20091210/1ab37fc4/attachment.htm>
Received on Thursday, 10 December 2009 14:12:10 UTC