On 4/2/12 1:33 AM, Simon Pieters wrote:
Yes, but what do they use for the origin of the Worker object itself?
"Run a worker for the resulting absolute URL, with the script's browsing
context of the script that invoked the method as the owner browsing
context, with the script's document of the script that invoked the
method as the owner document, with the origin of the entry script as the
owner origin, and with worker global scope as the global scope."
http://www.whatwg.org/specs/web-apps/current-work/multipage/workers.html#dom-worker
Well, that's origin for the worker *script*.
Yes, that's not the same thing.
The Worker *object* doesn't have an origin, I think.
Well, what controls which scripts can touch the Worker object? That
should be controlled by the origin of the window or document it's
associated with, but the spec doesn't define what that is.
I.e. if you create one and then one of the documents involved has
.domain set on it, what happens?
The document's effective script origin changes. The origin doesn't.
Sure.
Workers use origin, not effective script origin, so setting
document.domain should have no effect on workers even if you set it
before creating the worker.
I think you're missing my point.
Say I have two documents d1 and d2, in windows w1 and w2 respectively.
These are same-effective-origin (whether because they started that way
or because both set document.origin to the same thing doesn't matter).
Assume script in w1 has a reference to w2 (e.g. w2 is in a subframe).
Script running in w1 does:
var worker = new w2.Worker(some_url);
Then script in w2 changes d2.origin, which changes the effective origin
of w2 and d2. What happens to script that runs later on in w1 and tries
to call a method on |worker|?
For comparison, if Worker is replaced with Image in the above scenario,
the correct answer is "a security exception is thrown" because for
purposes of touching the image object itself what matters is whether the
effective origin of the script that's running matches the effective
origin of the image's ownerDocument. Not that the spec actually says
this anywhere that I can tell...
http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin-0
has rules for specific things.
Yes, that's talking about a different thing entirely (e.g. for images
this defines an origin for the image _data_, not for the image object
itself; the two can obviously differ when the image load is not
same-origin with the page the <img> tag is in).
Perhaps the spec terminology for the thing I'm after here is "effective
script origin"? That seems to be what it uses for Document. But maybe
it only does that so it can define it for scripts by reference to the
document that loaded them?
In any case, the concept I'm after is "the thing that determines whether
script at a particular effective script origin can touch your
properties". The spec (_some_ spec, at least) needs to define the value
of this concept for all objects. The simplest thing is to piggyback on
the existing "all objects are associated with some global" bit in WebIDL
and say that for a given object this concept has the same value as the
global it's associated with (which is what Gecko, say, does in
practice). But then you have to define what the value of this concept
is for globals (for Windows it would be the effective script origin of
the .document, I believe) and which global each object is associated
with (the point of this thread).
-Boris
-Boris
