W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 28 Mar 2013 05:44:28 +0000
Message-ID: <CADnb78h5Dh1WcD7SJ=_JVgcsjU3fJoQfNiEo9oAsPH4b6QYe3Q@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WebApps WG <public-webapps@w3.org>, Yehuda Katz <wycats@gmail.com>
On Wed, Mar 27, 2013 at 6:35 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> The question is, what happens if you do:
>
> <iframe src="blob:..." id=iframe>
> iframe.onload = function() {
>   iframe.contentWindow.document; // throws or not?
> }
>
> What if the blob-url was created in another origin, does that make a difference?
>
> For data: URIs different browsers behave differently in the example above.
>
> Same question applies if you create an <img src="blob:..."> and then
> drawImage it into a canvas, does the canvas get tainted? Again, I
> think different browsers do different things for data: URLs here.

I think both of those should work, including for data URLs (unless you
get either the blob or data URL as a result of a non same-origin
redirect (maybe any redirect?)). I need to sort a few things out in
http://fetch.spec.whatwg.org/ but then hopefully that can be used to
define this at least for data URLs. It's still a bit unclear to me how
we want to define blob URLs, but maybe that fits right in.


-- 
http://annevankesteren.nl/
Received on Thursday, 28 March 2013 05:44:56 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 28 March 2013 05:44:56 UTC