- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 16 Jul 2013 18:12:02 +0000 (UTC)
- To: Fred Andrews <fredandw@live.com>
- Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>
On Thu, 22 Nov 2012, Fred Andrews wrote: > > > > Why would the user disable JavaScript if they wanted the page to act > > like JavaScript was enabled? > > To avoid scripts leaking private state accessible via the DOM and other > APIs the user could disable or restrict JS in contexts that have access > to the DOM or other APIs. The 'web worker' like context would not have > access to the DOM or other APIs and thus not be a security risk and > could be allowed access to the web to forward information into the UA > secure context. It is also proposed that the 'web worker' like context > receive defined intentional input from users. I don't understand the security model here, or the attack vector you are concerned about. Who are we trying to protect the DOM from? How would a script running in a worker be able to cause any effect that the user could see, if the script cannot communicate with a script that does have access to the DOM? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 16 July 2013 18:12:28 UTC