On Fri, Jan 21, 2011 at 6:12 PM, Eric Uhrhane <ericu@google.com> wrote: > I think that, for the domain that owns the asset referred to by the > URI, pretty much any reasonable use should be allowed: > video/audio/img/iframe/script sources, XHR [GET only], etc. I'm > iffier on allowing any access to other origins, even for e.g. img > sources, even though they're normally allowed cross-origin. I'd love > to hear security arguments against and use cases for cross-origin > access. Of course, it's always easiest/safest to start out not > allowing such a thing and relax the rules later. Putting family photos in a directory and giving a webpage access to it isn't the same as putting them on a publically-accessible webserver. I think no cross-origin access should be allowed. I do think there should be a mechanism within createObjectURL to allow cross-origin access, which could be then used with a File created from an Entry. I don't think that makes sense for Entry URIs, though. -- Glenn MaynardReceived on Saturday, 22 January 2011 00:05:21 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC