On Jun 25, 2008, at 1:09 PM, Arun Ranganathan wrote:
Doug Schepers, Charles McCathieNevile (Chairs), Members of the WG,
On behalf of Mozilla, I'd like to introduce the possibility of two
new work items for this group to consider. Neither of these is
presented as a fait accompli, although we would like to consider
both of these for inclusion in Firefox 3.Next if that is possible.
1. Worker Threads in Script. The idea is to offer developers the
ability to spawn threads from within web content, as well as cross-
thread communication mechanisms such as postMessage. Mozilla
presents preliminary thought on the subject [1], and notes similar
straw persons proposed by WHATWG [2] and by Google Gears [3]. Also
for reference see worker threads in C# [4]. The Web Apps working
group seems like a logical home for this work. Will other members
of the WG engage with Mozilla on this, via additional work items
covered by the charter of this WG?
Apple is interested in a worker API. The key issues for workers, in my
opinion, are security, messaging, and which of the normal APIs are
available. Right now, these things are covered in HTML5, so I think
that may be a better place to add a Worker API.
We would certainly like to coordinate our work in this area with the
proposed APIs cited.
2. Mitigation of XSS (Cross Site Scripting) and CSRF (Cross Site
Request Forgery) Vulnerabilities. The idea is to provide a
mechanism (possibly via HTTP headers, but not necessarily limited to
HTTP headers) to stipulate a *strict* mode for script inclusion via
"script src=" and prevention of inline scripts altogether. See Site
Security Policy [5]. We encourage discussion about this topic via
email. Will other members of the WG engage with Mozilla on this,
via additional work items covered by the charter of this WG?
This one looks complicated and I'll need some time to review to form
an opinion. Some critical details seem to be missing from the
proposal, for example, one of the mechanisms calls for a preflight
policy check request but it is not described how to do this request.
Regards,
Maciej