Section 4.8.2 of the Web Workers spec reads: >>> When the Worker(scriptURL) constructor is invoked, the user agent must run the following steps: Resolve the scriptURL argument relative to the first script's base URL, when the method is invoked. If this fails, throw a SYNTAX_ERR exception. If the origin of the resulting absolute URL is not the same as the origin of the script that invoked the constructor, then throw a security exception. <<< "first script's base URL" == the base URL of the dynamic global object "origin of the script that invoked the constructor" == "origin of the lexical global object" Currently we are using the lexical global object for both. The fail case is somewhat subtle (you end up having to grab constructors cross-frame, while changing your origin via document.domain.