Re: File API: why is there same-origin restriction on blob URLs? from Glenn Maynard on 2013-03-29 (public-webapps@w3.org from January to March 2013)

From: Glenn Maynard <glenn@zewt.org>
Date: Fri, 29 Mar 2013 18:09:00 -0500
To: Jonas Sicking <jonas@sicking.cc>
Cc: WebApps WG <public-webapps@w3.org>, Arun Ranganathan <arun@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Yehuda Katz <wycats@gmail.com>
Message-ID: <CABirCh8qQff9+Ppi4vwDOAw+HJOF7yJbUYAOZ9eRbDEx6O2KiA@mail.gmail.com>

On Fri, Mar 29, 2013 at 10:17 AM, Jonas Sicking <jonas@sicking.cc> wrote:

>  What I'm saying if that different browsers behave differently here.
>
> Requiring the crossorigin attribute might be your opinion on how to solve
> it, but its not matching how any browsers treat data: URLs right now.
>
We're talking about changing the behavior of blob URLs, not about data:
URLs.

This isn't my opinion; I'm just explaining what the spec currently says.
Drawing cross-origin images always taint the canvas, and <img crossorigin>
is used to prevent that, by effectively changing the image's origin (
http://www.whatwg.org/specs/web-apps/current-work/#origin-0 "for images").

-- 
Glenn Maynard

Received on Friday, 29 March 2013 23:09:27 UTC