[whatwg] Workers and URL origin check

Jonas Sicking jonas at sicking.cc
Thu May 28 01:11:21 PDT 2009


On Wed, May 27, 2009 at 6:15 PM, Drew Wilson <atwilson at google.com> wrote:
> Along the same lines, I'm wondering why we require a same-domain check for
> initial worker URLs, but not for script imported via importScripts().

This is because workers run in a security context of the initial
worker URL. So this is the origin that is used for security checks
whenever the worker does something, like load data using
XMLHttpRequest.

importScripts() however behave more like <script> in that they run the
loaded script in the security context of the worked that loaded them.

> Seems
> like we ought to have workers inherit the origin of the script context that
> invoked the Worker constructor, but allow the script URL passed to the
> constructor to point at any domain.

That would be another solution to this problem, however some people
preferred the solution that is currently in the spec.

/ Jonas


More information about the whatwg mailing list