[Bug 25987] Blob URL parsing / fetching model from bugzilla@jessica.w3.org on 2014-06-11 (public-webapps-bugzilla@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 11 Jun 2014 21:17:41 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-25987-2532-TMkIh6xc4E@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25987

--- Comment #4 from Arun <arun@mozilla.com> ---
(In reply to Anne from comment #3)
> Glenn, that is not testing this scenario. You need to actually use an
> <iframe> on zewt.org that also sets document.domain and then I guess try to
> create a Blob in one window and use it in the other. Just setting
> document.domain does not really change the origin. It just changes what
> origins can be reached because the effective script origin changes.

Well, here's a test such as the one described:

http://foo.aruner.net/resources/BlobURL/blobURLTestContainer.html

If you comment out the 'document.domain = "aruner.net";' part, the iframe
accesses the parent.url variable (which is a Blob URL) and prints "test" to the
console. If you don't comment it out, it raises a security exception in Chrome
and Fx resembling:

"Uncaught SecurityError: Blocked a frame with origin "http://foo.aruner.net"
from accessing a frame with origin "http://foo.aruner.net". The frame
requesting access set "document.domain" to "aruner.net", but the frame being
accessed did not. Both must set "document.domain" to the same value to allow
access."

Of course, if you also put a "document.domain="aruner.net";' in the page
containing the iframe (the "parent"), then it prints "test" (but they are
effectively same origin anyway, irrespective of document.domain).

http://aruner.net/resources/BlobURL/blobURLTestContainer.html fails to print
"test", even if both frames set document.domain to equal values.

User agents are more conservative than the spec., which has a consistency bug:
cross-origin requests are not allowed *strictly* but we make it seem that
document.domain usage *is* allowed in the way we've defined the Blob URL Store.
So, I think the right thing is to make it a same origin Blob URL Store along
the lines of the correspondence, in which one of the suggestion is to bind the
Blob URL Store to a global object. Blob URLs' origin is the origin of the
settings object of the global object.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 11 June 2014 21:17:46 UTC