W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

File API: why is there same-origin restriction on blob URLs?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 26 Mar 2013 21:17:31 +0000
Message-ID: <CADnb78isOceRwL_i=b8LVyapRndjf9xDF3Rad3wnaMiw3+V9fA@mail.gmail.com>
To: WebApps WG <public-webapps@w3.org>
Cc: Yehuda Katz <wycats@gmail.com>

Is there any particular reason why we restrict blob URLs to the same
origin as the script that created them? In effect they are pretty much
like capability URLs (containing an unguessable token). So if someone
decides to share one, that should be okay I think. This would be
useful in the context of sandboxed code (<iframe sandbox>) and
presumably elsewhere too.


Received on Tuesday, 26 March 2013 21:17:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:59 UTC