- From: Adrian Bateman <adrianba@microsoft.com>
- Date: Fri, 11 Jun 2010 16:09:42 +0000
- To: Jonas Sicking <jonas@sicking.cc>, "arun@mozilla.com" <arun@mozilla.com>, Jian Li <jianli@chromium.org>
- CC: Web Applications Working Group WG <public-webapps@w3.org>, public-device-apis <public-device-apis@w3.org>
On Wednesday, June 02, 2010 5:35 PM, Jonas Sicking wrote: > On Wed, Jun 2, 2010 at 5:26 PM, Arun Ranganathan <arun@mozilla.com> wrote: > > On 6/2/10 5:06 PM, Jian Li wrote: > >> In addition, > >> we're thinking it will probably be a good practice to encode the security > >> origin in the blob URL scheme, like blobdata: > >> http://example.com/33c6401f-8779-4ea2-9a9b-1b725d6cd50b. This will make > >> doing the security origin check easier when a page tries to access the > >> blob > >> url that is created in another process, under multi-process architecture. > > > > This is a good suggestion. I particularly like the idea of encoding the > > origin as part of the scheme. > > Though we want to avoid introducing the concept of nested schemes to > the web. While mozilla already uses nested schemes (jar:http://... > and view-source:http://...) I know others, in particular Apple, have > expressed a dislike for this in the past. And with good reason, it's > not easy to implement and has been a source of numerous security bugs. > That said, it's certainly possible. It's not clear to me the benefit of encoding the origin into the URL. Do we expect script to parse out the origin and use it? Even in a multi-process architecture there's presumably some central store of issued URLs which will need to store origin information as well as other things? Cheers, Adrian
Received on Friday, 11 June 2010 16:10:43 UTC