Re: Blob URL Origin from Arun Ranganathan on 2014-05-28 (public-webapps@w3.org from April to June 2014)

From: Arun Ranganathan <arun@mozilla.com>
Date: Wed, 28 May 2014 17:43:35 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <B4550720-4509-4C27-9D5D-8E9E73069E47@mozilla.com>

On May 22, 2014, at 4:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Thanks, I'm convinced.
> 
> So now I'd like to know what policy we want so we can carefully define it.

The lastest editor’s draft of the File API specifies what we discussed in this email thread as syntax for Blob URLs:

http://dev.w3.org/2006/webapi/FileAPI/#DefinitionOfScheme

and origin, including how to serialize the Blob URL.

> For blob URLs (and prolly filesystem and indexeddb) we put the origin
> in the URL and define a way to extract it again so new
> URL(blob).origin does the right thing.

I wonder if .origin should be static?

> For fetching blob URLs (and prolly filesystem and indexeddb) we
> effectively act as if the request's mode was same-origin. Allowing
> tainted cross-origin requests would complicate UUID (for the UA) and
> memory (for the page) management in a multiprocess environment.

We’re not allowing them.

— A*

Received on Wednesday, 28 May 2014 21:44:08 UTC