Re: File API: why is there same-origin restriction on blob URLs?

On Mar 26, 2013, at 8:30 PM, Jonas Sicking wrote:

> On Tue, Mar 26, 2013 at 2:17 PM, Anne van Kesteren <> wrote:
>> Hi,
>> Is there any particular reason why we restrict blob URLs to the same
>> origin as the script that created them? In effect they are pretty much
>> like capability URLs (containing an unguessable token). So if someone
>> decides to share one, that should be okay I think. This would be
>> useful in the context of sandboxed code (<iframe sandbox>) and
>> presumably elsewhere too.
> I think the original concern was that implementations might not be
> able to reliably generate unguessable URLs. Potentially that's
> something that we could require though.

We already require this -- "opaque strings" should be globally unique.  

> However we'd still need to nail down what the new behavior should be.
> Should it behave like data: URLs? The main advantage of those is that
> implementations still don't agree on how those should behave.

They're very different than data URLs.  What's a good use case for making them cross-origin, that isn't addressed by use of postMessage?

-- A*

Received on Wednesday, 27 March 2013 20:17:11 UTC