[whatwg] Workers and URL origin check

Hi WHATWG!
I have a question about URL origin check for Workers: the spec, in 4.8.2,
mandates a check for the Worker URL to be the 'same origin' with the parent
document's URL. At the same time, 4.2 says the origin of the worker is
derived later from the URL represented by the 'location' object of the
worker context.

However, the spec doesn't say how redirects should be processed. If a
browser gets 30x redirect request, the final URL of a worker can be
different from the original one which has passed the check before loading.
Current spec ignores the fact that origin can be changed via redirect. If
the origin of the loaded worker is based on the final (potentially
redirected) URL that 'location' object represents, then subsequent XHR
requests, nested workers and importScripts() will work in the origin of that
final URL. As specified, in case of redirect the page from "
http://applicationInternals.com" can use a worker from "
http://application.com" (via redirect) to access APIs of
application.comthat were not necessarily intended for such
consumption.

Should the spec simply require the redirected, final URLs to be checked
against parent's and reject the script if redirection results in a different
origin?

Thanks,
Dmitry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090527/9135dd86/attachment.htm>

Received on Wednesday, 27 May 2009 17:13:39 UTC