W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Glenn Maynard <glenn@zewt.org>
Date: Tue, 26 Mar 2013 20:19:01 -0500
Message-ID: <CABirCh_8AJYHO=Xx_gFP-cKZSjONDhj+K9Kupijvs8CZdARh6w@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebApps WG <public-webapps@w3.org>, Yehuda Katz <wycats@gmail.com>
On Tue, Mar 26, 2013 at 7:30 PM, Jonas Sicking <jonas@sicking.cc> wrote:

> I think the original concern was that implementations might not be
>
able to reliably generate unguessable URLs. Potentially that's
> something that we could require though.
>

Being able to generate a securely-random token isn't a concern--if you
don't have a secure PRNG, you probably can't even do TLS.  The platform
already requires one for
https://developer.mozilla.org/en-US/docs/DOM/window.crypto.getRandomValues,
too.

For what it's worth, it seems like you don't strictly need to have
cross-origin access to blob URLs if you're passing the resource via
postMessage, since you can just post the Blob itself.  Doing it that way
avoids the brittleness of needing to revoke the URL--autoRevoke won't help
you if your'e posting a URL asynchronously--which is a significant
simplification for authors.  (Not to argue against relaxing this
restriction if the above is the only reason for it; in retrospect I might
have argued for restricting blob URLs to the same thread and event loop,
but it's too late for that now.)

-- 
Glenn Maynard
Received on Wednesday, 27 March 2013 01:19:28 GMT

This archive was generated by hypermail 2.3.1 : Wednesday, 27 March 2013 01:19:29 GMT