- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 29 May 2014 11:42:28 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Thu, May 29, 2014 at 8:38 AM, Jonas Sicking <jonas@sicking.cc> wrote: > On Thu, May 22, 2014 at 1:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> For fetching blob URLs (and prolly filesystem and indexeddb) we >> effectively act as if the request's mode was same-origin. Allowing >> tainted cross-origin requests would complicate UUID (for the UA) and >> memory (for the page) management in a multiprocess environment. > > Hmm.. I think that is effectively it yes. I.e. even though <img> says > that it wants to permit cross-origin loads, we'd override that if the > fetch is for a blob: URL and only permit same-origin loads. Is that > what you mean? Yes. However, I wonder if this at a standards level should come into play in the URL parser. After all that creates a structured clone of the blob in question. The lookup for the blob ID should probably fail at that point meaning it does not really matter when you then try to fetch that URL as it will simply not have an associated blob. -- http://annevankesteren.nl/
Received on Thursday, 29 May 2014 09:42:58 UTC