Along the same lines, I'm wondering why we require a same-domain check for initial worker URLs, but not for script imported via importScripts(). Seems like we ought to have workers inherit the origin of the script context that invoked the Worker constructor, but allow the script URL passed to the constructor to point at any domain.<br>
<br>Is there a motivating security concern for this language from section 4.8.2?:<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><p>If the <span>origin</span> of the resulting <span>absolute
URL</span> is not the <span title="same origin">same</span> as the
origin of the script that invoked the constructor, then throw a
<span>security exception</span>.
</p></blockquote>It seems like it makes it harder for people to share script across domains without actually providing any security.<br><br>-atw<br><br><div class="gmail_quote">On Wed, May 27, 2009 at 5:13 PM, Dmitry Titov <span dir="ltr"><<a href="mailto:dimich@chromium.org">dimich@chromium.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi WHATWG!<div><br></div><div>I have a question about URL origin check for Workers: the spec, in 4.8.2, mandates a check for the Worker URL to be the 'same origin' with the parent document's URL. At the same time, 4.2 says the origin of the worker is derived later from the URL represented by the 'location' object of the worker context.<br>
</div><div><br></div><div>However, the spec doesn't say how redirects should be processed. If a browser gets 30x redirect request, the final URL of a worker can be different from the original one which has passed the check before loading. Current spec ignores the fact that origin can be changed via redirect. If the origin of the loaded worker is based on the final (potentially redirected) URL that 'location' object represents, then subsequent XHR requests, nested workers and importScripts() will work in the origin of that final URL. As specified, in case of redirect the page from "<a href="http://applicationInternals.com" target="_blank">http://applicationInternals.com</a>" can use a worker from "<a href="http://application.com" target="_blank">http://application.com</a>" (via redirect) to access APIs of <a href="http://application.com" target="_blank">application.com</a> that were not necessarily intended for such consumption.</div>
<div><br></div><div>Should the spec simply require the redirected, final URLs to be checked against parent's and reject the script if redirection results in a different origin?</div><div><br></div><div>Thanks,</div><div>
Dmitry</div><font color="#888888"><div> </div>
</font></blockquote></div><br>