On Wed, Apr 20, 2011 at 12:54 PM, Tab Atkins Jr. <[email protected]>wrote:
> > Please correct me if I'm missing something, but I don't see any new > privacy-leak vectors here. Without Shared Workers, 3rdparty.com can > just hold open a communication channel to its server and shuttle > information between the iframes on A.com and B.com that way. Agreed. Even in the absence of a server, wouldn't those iframes also be able to communicate via cookies, or localStorage, or any other common data shared across the domain? I'd be curious about what specific privacy violations this enables that couldn't already be done in other ways that IE9 does support? Also, the PDF you link to describes a DoNotTrack HTTP header/DOM attribute and a filter list for preventing network access to specific domains - I'm not certain how either of those pertain to this issue (other than the fact that said filter lists would equally apply to network connections used from worker context). Can you provide some clarification of your concerns?
