- From: Glenn Maynard <glenn@zewt.org>
- Date: Fri, 21 Jan 2011 19:04:44 -0500
- To: Eric Uhrhane <ericu@google.com>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
On Fri, Jan 21, 2011 at 6:12 PM, Eric Uhrhane <ericu@google.com> wrote: > I think that, for the domain that owns the asset referred to by the > URI, pretty much any reasonable use should be allowed: > video/audio/img/iframe/script sources, XHR [GET only], etc. I'm > iffier on allowing any access to other origins, even for e.g. img > sources, even though they're normally allowed cross-origin. I'd love > to hear security arguments against and use cases for cross-origin > access. Of course, it's always easiest/safest to start out not > allowing such a thing and relax the rules later. Putting family photos in a directory and giving a webpage access to it isn't the same as putting them on a publically-accessible webserver. I think no cross-origin access should be allowed. I do think there should be a mechanism within createObjectURL to allow cross-origin access, which could be then used with a File created from an Entry. I don't think that makes sense for Entry URIs, though. -- Glenn Maynard
Received on Saturday, 22 January 2011 00:05:21 UTC