W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 26 Mar 2013 17:30:23 -0700
Message-ID: <CA+c2ei9KuA4J9mg2uNvhCqFBq3YE6PANrLHw-x9sDVqQNgLKBQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebApps WG <public-webapps@w3.org>, Yehuda Katz <wycats@gmail.com>
On Tue, Mar 26, 2013 at 2:17 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Hi,
>
> Is there any particular reason why we restrict blob URLs to the same
> origin as the script that created them? In effect they are pretty much
> like capability URLs (containing an unguessable token). So if someone
> decides to share one, that should be okay I think. This would be
> useful in the context of sandboxed code (<iframe sandbox>) and
> presumably elsewhere too.

I think the original concern was that implementations might not be
able to reliably generate unguessable URLs. Potentially that's
something that we could require though.

However we'd still need to nail down what the new behavior should be.
Should it behave like data: URLs? The main advantage of those is that
implementations still don't agree on how those should behave.

/ Jonas
Received on Wednesday, 27 March 2013 00:31:25 GMT

This archive was generated by hypermail 2.3.1 : Wednesday, 27 March 2013 00:31:25 GMT