Re: [w3c/FileAPI] Proposal: Add a crossOrigin option to Blob (Issue #192)

> I think `crossOrigin` is confusing given the feature in HTML with the same name that kinda means the opposite of this. 

How about changing the name to `crossSite`?

> Cross-origin `blob:` URL also seems confusing and doesn't really work well if we ever allow navigating to or downloading `Blob` objects directly.

What does navigation to `Blob` objects look like?
Can this be solved if we expose this option to `URL.createObjectURL()` instead of `Blob` objects?
I.e.: `URL.createObjectURL(blob, {crossOrigin: true})`

> Yes. I think this makes things possible that were not possible before. For example, a page with default-src blob: should not be able to exfiltrate any information at the moment. After this proposal, it will be able via a cross-origin blob.

I think you can already exfiltrate information today ([PoC](https://test.shhnjk.com/default_blob.php)), because there is no restriction of navigations.

To me, opt-out (i.e. use keyword if you want to block unique Blob URL) makes sense because:

1. To create a Blob, you need a script execution first. If that's an unintended script execution, then that's game over.
2. The content of Blob can be untrustworthy, but in this case the person creating the Blob URL can apply CSP and/or sandbox with attributes or meta tag to restrict them.

I think that sites which are using tight CSP like `default-src blob:` are pretty rare, and if they want, they should have a way to restrict them. But that should not warrant inavailability for this API for others by default (which are the majority).




-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/FileAPI/issues/192#issuecomment-1428507018
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/FileAPI/issues/192/1428507018@github.com>