On Wed, Apr 20, 2011 at 4:05 PM, Jonas Sicking <[email protected]> wrote: > > > That's why we're working on trying to fix fingerprinting. > > The point is that privacy is something that we're all working on > trying to improve (right?), and the WebWorkers spec needs to be > changed to aid with that. As far as I can see all that's needed is to > say that a UA is allowed to not share a worker, and ideally point out > that such sharing could be disabled when the frame-parent chain > contains cross origin iframes. >
Thanks for the clarification, Jonas. So I'm concerned that a blanket prohibition would break legitimate use cases (iframe-based widgets on a page communicating with one another). Let's say we have the following: Top Level Window - http://a.com Iframe_one - http://b.com iframe_two - http://b.com Top Level Window - http://c.com iframe_three - http://b.com If iframe_one, two, and three all create the same shared worker, would any sharing be allowed in the situation you propose? I would at least want iframe_one and iframe_two to end up referencing a common instance, even if privacy policy caused iframe_three to get a separate instance because the top-level window was pointed at c.com instead of a.com. This seems reasonable to me - I suspect that's what you (and Travis) were suggesting, but I wasn't positive.
