W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 29 Mar 2013 08:17:56 -0700
Message-ID: <CA+c2ei_VH1KhezdE6EZ6pTMEbMuTi4+ZHh9FB36CDUewqvoJ4Q@mail.gmail.com>
To: Glenn Maynard <glenn@zewt.org>
Cc: WebApps WG <public-webapps@w3.org>, Arun Ranganathan <arun@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Yehuda Katz <wycats@gmail.com>
On Mar 28, 2013 7:36 AM, "Glenn Maynard" <glenn@zewt.org> wrote:
>
> On Wed, Mar 27, 2013 at 1:35 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> Same question applies if you create an <img src="blob:..."> and then
>> drawImage it into a canvas, does the canvas get tainted? Again, I
>> think different browsers do different things for data: URLs here.
>
>
> You'd need to say <img crossorigin> to not taint, since it's still
cross-origin, but other than that there's no reason to taint.  The idea of
image tainting is preventing access when the caller wouldn't have direct
access to pixels, which isn't the case here.

What I'm saying if that different browsers behave differently here.

Requiring the crossorigin attribute might be your opinion on how to solve
it, but its not matching how any browsers treat data: URLs right now.

/ Jonas
Received on Friday, 29 March 2013 15:18:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 29 March 2013 15:18:25 UTC