- From: hfhchan <notifications@github.com>
- Date: Thu, 16 Mar 2017 03:50:44 -0700
- To: w3c/FileAPI <FileAPI@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 16 March 2017 10:51:38 UTC
I using origin-wide CSP here might be overkill. For a orgin-wide policy, that also means people need to set headers on the server side instead of via JavaScript (potentially out of reach), and rely on some sort of automagic propagation provided by the browser (which could lead to obscure bugs). It also means webdevs need to ensure all inline scripts in the same origin are hashed, which could infeasible for large websites. My thoughs are something like: ```` $blob = new Blob(); $blob->setOrigin(null); ```` where setOrigin will accept the current origin, a super-domain, or NULL for a opaque origin. By allowing a blob to be set to an opaque origin, this opens up for use-cases where isolated JavaScript execution is desired. For example, people can send JavaScript-powered e-cards through WhatsApp without the e-card having access to web.whatsapp.com origin. Currently this isolation can only be done by using using iframe sandbox or spawning new windows with data URIs. Hopefully, browsers can just reuse the existing machinery for treating Data URIs. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/FileAPI/issues/74#issuecomment-287021746
Received on Thursday, 16 March 2017 10:51:38 UTC