- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 23 Sep 2019 04:02:40 -0700
- To: w3c/FileAPI <FileAPI@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 23 September 2019 11:03:22 UTC
It would be ideal that when `URL.createObjectURL()` is invoked all policies (CSP, referrer policy, etc.) are cloned and stored in the blob URL store so that they can be used when the blob URL is used to create a document. This might have to be somewhat hand-wavy initially, but can hopefully be formalized over time as we document how to create, store, and inherit policies. (In particular this approach helps ensure that however the user decides to open the blob URL, relevant policies will be there and there's not some escalation of privilege possible relative to the document that minted the URL.) cc @mikewest @hiroshige-g -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/FileAPI/issues/142
Received on Monday, 23 September 2019 11:03:22 UTC