- From: Krzysztof Kotowicz <notifications@github.com>
- Date: Mon, 16 Mar 2020 05:54:59 -0700
- To: w3c/FileAPI <FileAPI@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 16 March 2020 12:55:11 UTC
Re: CSP integration, I think there is a way of nulling the Blob origins, making them useful for e.g. downloads, but not for direct DOM access when navigated to. If https://fetch.spec.whatwg.org/#main-fetch step 5 did not overwrite the response tainting flag to "basic" for "navigate" requests, some directive's [pre-navigation check](https://www.w3.org/TR/CSP3/#directive-pre-navigation-check) could set the request's [response tainting flag](https://fetch.spec.whatwg.org/#concept-request-response-tainting) to "opaque". If I understand correctly, then navigations to all blob: would be cross origin. / cc @mikewest @annevk - this would be addressing b) from https://github.com/w3c/FileAPI/issues/142#issuecomment-597698473 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/FileAPI/issues/74#issuecomment-599520426
Received on Monday, 16 March 2020 12:55:11 UTC