[whatwg] Offline Cache iframe inheritance
Honza Bambas
honzab at allpeers.com
Wed Oct 29 08:31:16 PDT 2008
The spec says when an iframe (a child browsing context) doesn't refer a
manifest in the <html> tag it has to inherit cache from its parent's
document.
1. This should be restricted to the same origin because when an offline
application loads in an iframe a site (an advertisement or what ever
site) that site has full access to window.applicationCache object and
can inject to the cache any kind of resource from any origin without
user notification. This resource is then carried among cache versions
until explicitly overwritten or deleted from the cache.
2. When a completely different site from a different origin, in this
case not malicious, is loaded in an iframe from inside of an offline
application, the site would probably be completely broken - the
resources on the page could not be load because of the associated cache
of probably unrelated offline application.
3. Master documents are associated with the cache after the cache update
finished. I percept this step as a way to make the offline application
document be in a consistent state after cache update finished w/o need
to refresh the top document, right? But, iframes that should inherit
cache from its parents are not associated (there were no cache at moment
of load/cache selection algorithm and there is not visible in the spec
to do the association later). Workaround is to add reference to the
manifest to all iframe'd documents, but in that case there is no need to
have a special handling for such child contexts in case they don't refer
a manifest.
All these points lead me to opinion to remove the cache inheritance for
child contexts feature. The manifest reference will not involve any new
updates because they are atomically cumulated and let different sites
"fall off" the offline app context. Also we don't have any cross-site
security risks, even just potential.
Potentially, to preserve inheritance and save some work to web
developers, we may introduce explicit attribute to iframe by defining
the manifest to use or just say to let the context inherit the cache
from the parent.
-hb-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20081029/b39dfd49/attachment-0001.htm>
More information about the whatwg
mailing list