Re: File API: why is there same-origin restriction on blob URLs?

On Tue, Mar 26, 2013 at 2:17 PM, Anne van Kesteren <> wrote:
> Hi,
> Is there any particular reason why we restrict blob URLs to the same
> origin as the script that created them? In effect they are pretty much
> like capability URLs (containing an unguessable token). So if someone
> decides to share one, that should be okay I think. This would be
> useful in the context of sandboxed code (<iframe sandbox>) and
> presumably elsewhere too.

I think the original concern was that implementations might not be
able to reliably generate unguessable URLs. Potentially that's
something that we could require though.

However we'd still need to nail down what the new behavior should be.
Should it behave like data: URLs? The main advantage of those is that
implementations still don't agree on how those should behave.

/ Jonas

Received on Wednesday, 27 March 2013 00:31:25 UTC