Re: [whatwg/url] Use definitions in FileAPI spec to resolve blob URLs and their origins. (#371)

> What I should have asked about sooner is whether we have any tests around this already and if any implementation bugs need to be filed? Sorry for the additional delay, but I'd like to be sure we don't have to revisit this anytime soon.

As mentioned in the initial pull request message:

> The only observable change here is the origin for blob URLs created in unique origins (which is only observable indirectly by trying to fetch such URLs), and tests for that already exist in https://w3c-test.org/FileAPI/url/sandboxed-iframe.html.

And from looking at https://wpt.fyi/results/FileAPI/url/sandboxed-iframe.html?label=master&label=stable&aligned there are probably some implementation bugs that should be filed if they haven't been filed already, although not clear how much that is related to this PR (which really was just trying to codify what browsers are already doing today). I.e. tests like "Blob URLs can be used in XHR and "Blob URLs can be used in fetch" passing in all browsers show that at least in some cases they use the correct origin. But then "Blob URLs can be used in iframes, and are treated same origin" fails in all browsers, so I'll have to double check what's going on there.

So the test situation is a bit tricky since it is only possible to indirectly observe the origin of a opaque origin'ed blob URL, but I think for this PR we're fine, all implementations at least do the right thing for fetch/xhr. There's definitely more work to be done here though, for example as part of whatwg/fetch#666, which will help address when exactly same/cross origin blob URLs should actually load or not load. As part of that I expect I'll be writing more tests, and probably filing implementation bugs. Does that sound reasonable?







-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/pull/371#issuecomment-453601959