- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 26 Mar 2013 17:30:23 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebApps WG <public-webapps@w3.org>, Yehuda Katz <wycats@gmail.com>
On Tue, Mar 26, 2013 at 2:17 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > Hi, > > Is there any particular reason why we restrict blob URLs to the same > origin as the script that created them? In effect they are pretty much > like capability URLs (containing an unguessable token). So if someone > decides to share one, that should be okay I think. This would be > useful in the context of sandboxed code (<iframe sandbox>) and > presumably elsewhere too. I think the original concern was that implementations might not be able to reliably generate unguessable URLs. Potentially that's something that we could require though. However we'd still need to nail down what the new behavior should be. Should it behave like data: URLs? The main advantage of those is that implementations still don't agree on how those should behave. / Jonas
Received on Wednesday, 27 March 2013 00:31:25 UTC