[whatwg] Feedback on Web Worker specification
Ian Hickson
ian at hixie.ch
Tue Jul 16 11:12:02 PDT 2013
On Thu, 22 Nov 2012, Fred Andrews wrote:
> >
> > Why would the user disable JavaScript if they wanted the page to act
> > like JavaScript was enabled?
>
> To avoid scripts leaking private state accessible via the DOM and other
> APIs the user could disable or restrict JS in contexts that have access
> to the DOM or other APIs. The 'web worker' like context would not have
> access to the DOM or other APIs and thus not be a security risk and
> could be allowed access to the web to forward information into the UA
> secure context. It is also proposed that the 'web worker' like context
> receive defined intentional input from users.
I don't understand the security model here, or the attack vector you are
concerned about.
Who are we trying to protect the DOM from?
How would a script running in a worker be able to cause any effect that
the user could see, if the script cannot communicate with a script that
does have access to the DOM?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list