Re: Blob URL Origin from Glenn Maynard on 2014-05-16 (public-webapps@w3.org from April to June 2014)

From: Glenn Maynard <glenn@zewt.org>
Date: Fri, 16 May 2014 10:10:09 -0500
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jonas Sicking <jonas@sicking.cc>, Arun Ranganathan <arun@mozilla.com>, Web Applications Working Group WG <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <CABirCh_52wVypw+OipTMXSYgvs18NH1Z64kPhCf4MqOL+GmkpQ@mail.gmail.com>

On Fri, May 16, 2014 at 9:11 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> I think the sad thing is that if you couple origins with blob URLs you
>
can no longer hand a blob URL to an <iframe>-based widget and let them
> play with it. E.g. draw, modify, and hand a URL back for the modified
> image. But I guess this is a scenario you explicitly want to outlaw,
> even though you could do the equivalent by passing a Blob object
> directly and that would always work.
>

As I recall, when I asked why blob URLs were same-origin only, the answer
was that it was uncertain whether all platforms had a good enough PRNG to
allow generating securely-unguessable tokens for blob URLs in order to make
sure sites can't guess blob URLs for other sites.  I don't think that's an
issue (if you don't have an entropy source to implement a secure PRNG, you
don't even have basic crypto).  I think that the same-origin restriction
for blob URLs should be removed.

-- 
Glenn Maynard

Received on Friday, 16 May 2014 15:10:37 UTC