W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: [FileSystem]: URI format, uses

From: Glenn Maynard <glenn@zewt.org>
Date: Fri, 21 Jan 2011 19:04:44 -0500
Message-ID: <AANLkTingVaiN9LU9eLmeC1Lifh514JiaHa9DsgJQ2nQK@mail.gmail.com>
To: Eric Uhrhane <ericu@google.com>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
On Fri, Jan 21, 2011 at 6:12 PM, Eric Uhrhane <ericu@google.com> wrote:
> I think that, for the domain that owns the asset referred to by the
> URI, pretty much any reasonable use should be allowed:
> video/audio/img/iframe/script sources, XHR [GET only], etc.  I'm
> iffier on allowing any access to other origins, even for e.g. img
> sources, even though they're normally allowed cross-origin.  I'd love
> to hear security arguments against and use cases for cross-origin
> access.  Of course, it's always easiest/safest to start out not
> allowing such a thing and relax the rules later.

Putting family photos in a directory and giving a webpage access to it
isn't the same as putting them on a publically-accessible webserver.
I think no cross-origin access should be allowed.

I do think there should be a mechanism within createObjectURL to allow
cross-origin access, which could be then used with a File created from
an Entry.  I don't think that makes sense for Entry URIs, though.

Glenn Maynard
Received on Saturday, 22 January 2011 00:05:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC