Re: File API: why is there same-origin restriction on blob URLs? from Jonas Sicking on 2013-03-29 (public-webapps@w3.org from January to March 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 29 Mar 2013 08:17:56 -0700
To: Glenn Maynard <glenn@zewt.org>
Cc: WebApps WG <public-webapps@w3.org>, Arun Ranganathan <arun@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Yehuda Katz <wycats@gmail.com>
Message-ID: <CA+c2ei_VH1KhezdE6EZ6pTMEbMuTi4+ZHh9FB36CDUewqvoJ4Q@mail.gmail.com>

On Mar 28, 2013 7:36 AM, "Glenn Maynard" <glenn@zewt.org> wrote:
>
> On Wed, Mar 27, 2013 at 1:35 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> Same question applies if you create an <img src="blob:..."> and then
>> drawImage it into a canvas, does the canvas get tainted? Again, I
>> think different browsers do different things for data: URLs here.
>
>
> You'd need to say <img crossorigin> to not taint, since it's still
cross-origin, but other than that there's no reason to taint.  The idea of
image tainting is preventing access when the caller wouldn't have direct
access to pixels, which isn't the case here.

What I'm saying if that different browsers behave differently here.

Requiring the crossorigin attribute might be your opinion on how to solve
it, but its not matching how any browsers treat data: URLs right now.

/ Jonas

Received on Friday, 29 March 2013 15:18:25 UTC