Re: File API: why is there same-origin restriction on blob URLs? from Anne van Kesteren on 2013-03-30 (public-webapps@w3.org from January to March 2013)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 30 Mar 2013 09:23:28 +0000
To: Jonas Sicking <jonas@sicking.cc>
Cc: Glenn Maynard <glenn@zewt.org>, WebApps WG <public-webapps@w3.org>, Arun Ranganathan <arun@mozilla.com>, Yehuda Katz <wycats@gmail.com>
Message-ID: <CADnb78j2p7E89RqQUSyBmfHQRZ=MjuGstt4aYVRHbZNBmDp02g@mail.gmail.com>

On Sat, Mar 30, 2013 at 1:42 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> The reason that data: is relevant there is that blob: is proposed to behave
> the same as data:.

So the way a CORS fetch works in HTML is that it special cases data
URLs and about:blank to be in the same category as same-origin URLs.
XMLHttpRequest does the same for data URLs, and workers does something
similar too. http://fetch.spec.whatwg.org/ will unify this. If we add
blob URLs to that list they would be considered CORS same-origin. We
still need to add something though that ensures that data URLs and
blob URLs are not considered same-origin after a redirect.

-- 
http://annevankesteren.nl/

Received on Saturday, 30 March 2013 09:23:55 UTC