- From: Alexey Proskuryakov <ap@webkit.org>
- Date: Thu, 26 Mar 2009 23:19:22 +0300
On 26.03.2009, at 19:26, Drew Wilson wrote: > Letting faceless background processes update themselves without user > consent is not necessarily desirable. I think that they need browser > UI for this, and/or associated HTML configuration pages that could > (among other duties) trigger application cache update. > > I'd be curious about why you think this is a problem, especially > given the existence of importScripts() and XHR which allow workers > to load scripts dynamically anyway. importScripts() will only allow dynamic loading if any URL prefixes are designated as "NETWORK" in the manifest, which security sensitive users may potentially detect and block. The level of support for this in browsers, firewalls, anti-viruses and other software will obviously depend on future usage patterns and threats, but the possibility is there. But I was looking at this in terms of a model for users, not any specific security threats - if we think of persistent workers as an equivalent of native applications that need installation, then we should consider that native applications don't usually update themselves without user consent. - WBR, Alexey Proskuryakov
Received on Thursday, 26 March 2009 13:19:22 UTC