- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 28 May 2009 01:11:21 -0700
On Wed, May 27, 2009 at 6:15 PM, Drew Wilson <atwilson at google.com> wrote: > Along the same lines, I'm wondering why we require a same-domain check for > initial worker URLs, but not for script imported via importScripts(). This is because workers run in a security context of the initial worker URL. So this is the origin that is used for security checks whenever the worker does something, like load data using XMLHttpRequest. importScripts() however behave more like <script> in that they run the loaded script in the security context of the worked that loaded them. > Seems > like we ought to have workers inherit the origin of the script context that > invoked the Worker constructor, but allow the script URL passed to the > constructor to point at any domain. That would be another solution to this problem, however some people preferred the solution that is currently in the spec. / Jonas
Received on Thursday, 28 May 2009 01:11:21 UTC