Worker Threads and Site Security Policy | Two Possible New Items for Standardization
Doug Schepers, Charles McCathieNevile (Chairs), Members of the WG, On behalf of Mozilla, I'd like to introduce the possibility of two new work items for this group to consider. Neither of these is presented as a fait accompli, although we would like to consider both of these for inclusion in Firefox 3.Next if that is possible. 1. Worker Threads in Script. The idea is to offer developers the ability to spawn threads from within web content, as well as cross-thread communication mechanisms such as postMessage. Mozilla presents preliminary thought on the subject [1], and notes similar straw persons proposed by WHATWG [2] and by Google Gears [3]. Also for reference see worker threads in C# [4]. The Web Apps working group seems like a logical home for this work. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site Request Forgery) Vulnerabilities. The idea is to provide a mechanism (possibly via HTTP headers, but not necessarily limited to HTTP headers) to stipulate a *strict* mode for script inclusion via script src= and prevention of inline scripts altogether. See Site Security Policy [5]. We encourage discussion about this topic via email. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? -- A* [1] http://wiki.mozilla.org/DOMWorkerThreads [2] http://hixie.ch/specs/dom/workers/0.9 [3] http://code.google.com/apis/gears/api_workerpool.html [4] http://msdn.microsoft.com/en-us/library/5xt1dysy.aspx [5] http://people.mozilla.com/~bsterne/site-security-policy/
Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization
On Wed, Jun 25, 2008 at 1:09 PM, Arun Ranganathan [EMAIL PROTECTED] wrote: 1. Worker Threads in Script. The idea is to offer developers the ability to spawn threads from within web content, as well as cross-thread communication mechanisms such as postMessage. Mozilla presents preliminary thought on the subject [1], and notes similar straw persons proposed by WHATWG [2] and by Google Gears [3]. Also for reference see worker threads in C# [4]. The Web Apps working group seems like a logical home for this work. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? Sounds good to Gears. We'd be interested in participating in this. - a
Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization
On Jun 25, 2008, at 1:09 PM, Arun Ranganathan wrote: Doug Schepers, Charles McCathieNevile (Chairs), Members of the WG, On behalf of Mozilla, I'd like to introduce the possibility of two new work items for this group to consider. Neither of these is presented as a fait accompli, although we would like to consider both of these for inclusion in Firefox 3.Next if that is possible. 1. Worker Threads in Script. The idea is to offer developers the ability to spawn threads from within web content, as well as cross- thread communication mechanisms such as postMessage. Mozilla presents preliminary thought on the subject [1], and notes similar straw persons proposed by WHATWG [2] and by Google Gears [3]. Also for reference see worker threads in C# [4]. The Web Apps working group seems like a logical home for this work. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? Apple is interested in a worker API. The key issues for workers, in my opinion, are security, messaging, and which of the normal APIs are available. Right now, these things are covered in HTML5, so I think that may be a better place to add a Worker API. We would certainly like to coordinate our work in this area with the proposed APIs cited. 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site Request Forgery) Vulnerabilities. The idea is to provide a mechanism (possibly via HTTP headers, but not necessarily limited to HTTP headers) to stipulate a *strict* mode for script inclusion via script src= and prevention of inline scripts altogether. See Site Security Policy [5]. We encourage discussion about this topic via email. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? This one looks complicated and I'll need some time to review to form an opinion. Some critical details seem to be missing from the proposal, for example, one of the mechanisms calls for a preflight policy check request but it is not described how to do this request. Regards, Maciej
Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization
Maciej, 1. Worker Threads in Script. Apple is interested in a worker API. The key issues for workers, in my opinion, are security, messaging, and which of the normal APIs are available. Right now, these things are covered in HTML5, so I think that may be a better place to add a Worker API. We would certainly like to coordinate our work in this area with the proposed APIs cited. Fair observation. I'll wait to hear from other parties (particularly the other user-agent companies) about where this ought to live. I note from a previous thread[1] that the presumption of a dependency on HTML5 has proven problematic to other WGs, which could sell your point about moving this to HTML5. My preference is to have it here since it is a Web API and thus should be treated as a modular piece of the ecosystem. 2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site Request Forgery) Vulnerabilities. The idea is to provide a mechanism (possibly via HTTP headers, but not necessarily limited to HTTP headers) to stipulate a *strict* mode for script inclusion via script src= and prevention of inline scripts altogether. See Site Security Policy [5]. We encourage discussion about this topic via email. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? This one looks complicated and I'll need some time to review to form an opinion. Some critical details seem to be missing from the proposal, for example, one of the mechanisms calls for a preflight policy check request but it is not described how to do this request. Fair observation, though note (as I said before) that this is far from a fait accompli. The uber idea is to induce a stricter script inclusion/inline script mechanism in user agents. Should that idea have currency with Apple, we'd be very interested in working with you (as we are with others) in sorting out the details. Going forward, it might be wise to snap these two out of one email thread, but I'll wait on responses. -- A* [1] http://lists.w3.org/Archives/Public/public-webapps/2008AprJun/0413.html
Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization
On Wed, 25 Jun 2008, Arun Ranganathan wrote: 1. Worker Threads in Script. The idea is to offer developers the ability to spawn threads from within web content, as well as cross-thread communication mechanisms such as postMessage. Mozilla presents preliminary thought on the subject [1], and notes similar straw persons proposed by WHATWG [2] and by Google Gears [3]. Also for reference see worker threads in C# [4]. The Web Apps working group seems like a logical home for this work. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? I'd be happy to volunteer to edit a specification for worker threads, whether this ends up as a separate spec in Web Apps or as an HTML5 chapter. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: Worker Threads and Site Security Policy | Two Possible New Items for Standardization
Maciej Stachowiak wrote: On Jun 25, 2008, at 1:09 PM, Arun Ranganathan wrote: Doug Schepers, Charles McCathieNevile (Chairs), Members of the WG, On behalf of Mozilla, I'd like to introduce the possibility of two new work items for this group to consider. Neither of these is presented as a fait accompli, although we would like to consider both of these for inclusion in Firefox 3.Next if that is possible. 1. Worker Threads in Script. The idea is to offer developers the ability to spawn threads from within web content, as well as cross-thread communication mechanisms such as postMessage. Mozilla presents preliminary thought on the subject [1], and notes similar straw persons proposed by WHATWG [2] and by Google Gears [3]. Also for reference see worker threads in C# [4]. The Web Apps working group seems like a logical home for this work. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? Apple is interested in a worker API. The key issues for workers, in my opinion, are security, messaging, and which of the normal APIs are available. Right now, these things are covered in HTML5, so I think that may be a better place to add a Worker API. We would certainly like to coordinate our work in this area with the proposed APIs cited. I'd really rather not add more stuff to HTML5, it's too big as it is. Ideally worker threads is something that we can nail down in a pretty short period of time, before HTML5 is out (targeted a few years into the future iirc). Like you say, some features from HTML5 should be exposed in the context of worker threads. I don't really know how to handle that, but I can see two ways: 1. Make a informative note stating a list of features that we expect will be made available once there is a finished spec for them, but leave it up to the HTML5 spec to actually explicitly make this requirement. 2. Have a normative requirement that implementations that also support feature X from HTML5, makes that implementation available to the worker thread as well. / Jonas
RE: Worker Threads and Site Security Policy | Two Possible New Items for Standardization
On Jun 25, 2008, at 1:09 PM, Arun Ranganathan wrote: Mozilla presents preliminary thought on the subject [1], and notes similar straw persons proposed by WHATWG [2] and by Google Gears [3]. Also for reference see worker threads in C# [4]. The Web Apps working group seems like a logical home for this work. Will other members of the WG engage with Mozilla on this, via additional work items covered by the charter of this WG? [Sunava Dutta] We're still working on getting our membership here together. May we have copies to (I'm assuming what are URLS) for these proposals?