On Wed, Apr 20, 2011 at 5:58 PM, Andrew Wilson <[email protected]> wrote: > On Wed, Apr 20, 2011 at 4:05 PM, Jonas Sicking <[email protected]> wrote: >> That's why we're working on trying to fix fingerprinting. >> >> The point is that privacy is something that we're all working on >> trying to improve (right?), and the WebWorkers spec needs to be >> changed to aid with that. As far as I can see all that's needed is to >> say that a UA is allowed to not share a worker, and ideally point out >> that such sharing could be disabled when the frame-parent chain >> contains cross origin iframes. > > Thanks for the clarification, Jonas. So I'm concerned that a blanket > prohibition would break legitimate use cases (iframe-based widgets on a page > communicating with one another). Let's say we have the following: > Top Level Window - http://a.com > Iframe_one - http://b.com > iframe_two - http://b.com > Top Level Window - http://c.com > iframe_three - http://b.com > If iframe_one, two, and three all create the same shared worker, would any > sharing be allowed in the situation you propose? I would at least want > iframe_one and iframe_two to end up referencing a common instance, even if > privacy policy caused iframe_three to get a separate instance because the > top-level window was pointed at c.com instead of a.com. > This seems reasonable to me - I suspect that's what you (and Travis) were > suggesting, but I wasn't positive.
Yes, on the surface it seems to me that this would be ok. Though given that it's a more complex solution than a simple blanket prohibition any time cross-site frames are involved, it's possible that I'm missing some privacy leak vector. / Jonas
