Workers: Allow data urls

RESOLVED FIXED in mozilla10

Status

()

Core
DOM
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Ben Turner (not reading bugmail, use the needinfo flag!), Assigned: Ben Turner (not reading bugmail, use the needinfo flag!))

Tracking

(Depends on: 1 bug, {dev-doc-complete})

Trunk
mozilla10
x86_64
Windows 7
dev-doc-complete
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Created attachment 572019 [details] [diff] [review]
Patch, v1

We should allow data URLs to make workers. Patch attached.
Attachment #572019 - Flags: review?(jonas)
Attachment #572019 - Flags: review?(jonas) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/dc3fa66976e6
Whiteboard: [inbound]
https://hg.mozilla.org/mozilla-central/rev/dc3fa66976e6
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
Target Milestone: --- → mozilla10
Duplicate of this bug: 700626

Updated

6 years ago
Duplicate of this bug: 700626
Keywords: dev-doc-needed
Why we are going to allow data URL Workers while the spec explicitly disallows?
http://dev.w3.org/html5/workers/#handler-worker-onmessage
Is a spec change proposed somewhere? If it is, please let me know the pointer.
I don't mind allowing in itself so much because we (and even Chrome) already allow Blob URL Workers.
In Gecko data-urls have always been considered same-origin, so in a way we are actually complying with the spec.

The origin of data urls is something that is still being debated in the spec world, so I don't think we should make a departure from our usual behavior here.
(In reply to Jonas Sicking (:sicking) from comment #6)
> In Gecko data-urls have always been considered same-origin, so in a way we
> are actually complying with the spec.

"origin" definition of HTML spec is:
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#terminology
| The term origin is used per its definition in the Origin specification.

And in the Origin specification, data URIs are defined as "globally unique identifiers" and cannot be same-origin with any domains.
http://tools.ietf.org/html/draft-abarth-origin-09#section-2.3
| A globally unique identifier is a value which is different from all
| other previously existing values.  For example, a sufficiently long
| random string is likely to be a globally unique identifier.
http://tools.ietf.org/html/draft-abarth-origin-09#section-4
| data URIs do not use a server-based naming authority and therefore have
| globally unique identifiers as origins.

So I think it's better to update the spec.
The draft has been expired in May 30, 2011.
I've updated :
https://developer.mozilla.org/En/DOM/Worker
https://developer.mozilla.org/En/Using_web_workers and
https://developer.mozilla.org/en/Firefox_10_for_developer

I did mention the disagreement about whether a data URI is valid under the same-origin policy or not.

I didn't made any changes to https://developer.mozilla.org/en/data_URIs as we don't list any usage there.

Is there a bug opened at the WhatWG/W3C to fix the documentation to explicitly allow dataURI? It would be helpful for me to follow it to know if/when the specs are changed to update the doc w/ this information.
Keywords: dev-doc-needed → dev-doc-complete
Depends on: 716820
You need to log in before you can comment on or make changes to this bug.