Re: [FileSystem]: URI format, uses

On Fri, Jan 21, 2011 at 6:12 PM, Eric Uhrhane <ericu@google.com> wrote:
> I think that, for the domain that owns the asset referred to by the
> URI, pretty much any reasonable use should be allowed:
> video/audio/img/iframe/script sources, XHR [GET only], etc.  I'm
> iffier on allowing any access to other origins, even for e.g. img
> sources, even though they're normally allowed cross-origin.  I'd love
> to hear security arguments against and use cases for cross-origin
> access.  Of course, it's always easiest/safest to start out not
> allowing such a thing and relax the rules later.

Putting family photos in a directory and giving a webpage access to it
isn't the same as putting them on a publically-accessible webserver.
I think no cross-origin access should be allowed.

I do think there should be a mechanism within createObjectURL to allow
cross-origin access, which could be then used with a File created from
an Entry.  I don't think that makes sense for Entry URIs, though.

-- 
Glenn Maynard

Received on Saturday, 22 January 2011 00:05:21 UTC