W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 27 Mar 2013 11:35:11 -0700
Message-ID: <CA+c2ei_D_UiVLPqMEXaA2+SOpn+oQT1Qx_qjbqoED2qQBCX_0g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebApps WG <public-webapps@w3.org>, Yehuda Katz <wycats@gmail.com>
On Wed, Mar 27, 2013 at 2:41 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> However we'd still need to nail down what the new behavior should be.
>> Should it behave like data: URLs? The main advantage of those is that
>> implementations still don't agree on how those should behave.
>
> I'm not sure what that means. I can easily postMessage() a data URL to
> an <iframe> of another origin and that <iframe> can then load the data
> URL in an <img> and have it work (obviously, as the data URL is
> self-contained).

The question is, what happens if you do:

<iframe src="blob:..." id=iframe>
iframe.onload = function() {
  iframe.contentWindow.document; // throws or not?
}

What if the blob-url was created in another origin, does that make a difference?

For data: URIs different browsers behave differently in the example above.

Same question applies if you create an <img src="blob:..."> and then
drawImage it into a canvas, does the canvas get tainted? Again, I
think different browsers do different things for data: URLs here.

/ Jonas
Received on Wednesday, 27 March 2013 18:36:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 27 March 2013 18:36:52 UTC