- From: <bugzilla@jessica.w3.org>
- Date: Wed, 11 Jun 2014 21:17:41 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25987 --- Comment #4 from Arun <arun@mozilla.com> --- (In reply to Anne from comment #3) > Glenn, that is not testing this scenario. You need to actually use an > <iframe> on zewt.org that also sets document.domain and then I guess try to > create a Blob in one window and use it in the other. Just setting > document.domain does not really change the origin. It just changes what > origins can be reached because the effective script origin changes. Well, here's a test such as the one described: http://foo.aruner.net/resources/BlobURL/blobURLTestContainer.html If you comment out the 'document.domain = "aruner.net";' part, the iframe accesses the parent.url variable (which is a Blob URL) and prints "test" to the console. If you don't comment it out, it raises a security exception in Chrome and Fx resembling: "Uncaught SecurityError: Blocked a frame with origin "http://foo.aruner.net" from accessing a frame with origin "http://foo.aruner.net". The frame requesting access set "document.domain" to "aruner.net", but the frame being accessed did not. Both must set "document.domain" to the same value to allow access." Of course, if you also put a "document.domain="aruner.net";' in the page containing the iframe (the "parent"), then it prints "test" (but they are effectively same origin anyway, irrespective of document.domain). http://aruner.net/resources/BlobURL/blobURLTestContainer.html fails to print "test", even if both frames set document.domain to equal values. User agents are more conservative than the spec., which has a consistency bug: cross-origin requests are not allowed *strictly* but we make it seem that document.domain usage *is* allowed in the way we've defined the Blob URL Store. So, I think the right thing is to make it a same origin Blob URL Store along the lines of the correspondence, in which one of the suggestion is to bind the Blob URL Store to a global object. Blob URLs' origin is the origin of the settings object of the global object. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 11 June 2014 21:17:46 UTC