W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Glenn Maynard <glenn@zewt.org>
Date: Fri, 29 Mar 2013 18:09:00 -0500
Message-ID: <CABirCh8qQff9+Ppi4vwDOAw+HJOF7yJbUYAOZ9eRbDEx6O2KiA@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WebApps WG <public-webapps@w3.org>, Arun Ranganathan <arun@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Yehuda Katz <wycats@gmail.com>
On Fri, Mar 29, 2013 at 10:17 AM, Jonas Sicking <jonas@sicking.cc> wrote:

>  What I'm saying if that different browsers behave differently here.
>
> Requiring the crossorigin attribute might be your opinion on how to solve
> it, but its not matching how any browsers treat data: URLs right now.
>
We're talking about changing the behavior of blob URLs, not about data:
URLs.

This isn't my opinion; I'm just explaining what the spec currently says.
Drawing cross-origin images always taint the canvas, and <img crossorigin>
is used to prevent that, by effectively changing the image's origin (
http://www.whatwg.org/specs/web-apps/current-work/#origin-0 "for images").

-- 
Glenn Maynard
Received on Friday, 29 March 2013 23:09:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 29 March 2013 23:09:28 UTC