W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: File API: why is there same-origin restriction on blob URLs?

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 29 Mar 2013 18:42:17 -0700
Message-ID: <CA+c2ei_xR0sADXy7X3C3FKXuNvkdMNZ=aSn-_cbqq3YEzfKvZQ@mail.gmail.com>
To: Glenn Maynard <glenn@zewt.org>
Cc: WebApps WG <public-webapps@w3.org>, Anne van Kesteren <annevk@annevk.nl>, Arun Ranganathan <arun@mozilla.com>, Yehuda Katz <wycats@gmail.com>
On Mar 29, 2013 4:09 PM, "Glenn Maynard" <glenn@zewt.org> wrote:
>
> On Fri, Mar 29, 2013 at 10:17 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> What I'm saying if that different browsers behave differently here.
>>
>> Requiring the crossorigin attribute might be your opinion on how to
solve it, but its not matching how any browsers treat data: URLs right now.
>
> We're talking about changing the behavior of blob URLs, not about data:
URLs.
>
> This isn't my opinion; I'm just explaining what the spec currently says.
Drawing cross-origin images always taint the canvas, and <img crossorigin>
is used to prevent that, by effectively changing the image's origin (
http://www.whatwg.org/specs/web-apps/current-work/#origin-0 "for images").

What the spec says it that cross origin URLs taint. However different
browsers treat data: differently when it comes to whether it is crossorigin.

In any case the crossorigin attribute wouldn't make Senate here since it
requires the loaded URL to opt in to being crossorigin readable using CORS,
something that is not possible for data: URLs.

The reason that data: is relevant there is that blob: is proposed to behave
the same as data:.

/ Jonas
Received on Saturday, 30 March 2013 01:42:45 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 30 March 2013 01:42:46 UTC