W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 12 May 2014 16:46:32 +0200
Message-ID: <CADnb78iqje==ZNdiZ+222FXjzw8Y8D3R20Re3uBwGcFNP-7SRQ@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebApps WG <public-webapps@w3.org>
On Mon, May 12, 2014 at 4:31 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 5/12/14, 5:28 AM, Anne van Kesteren wrote:
>> so blob:https://origin:42/uuid would be fine.
>
> I'd really rather we didn't make web pages parse these strings to get the
> origin.  A static method on Blob that takes a valid blob: URI and returns
> its origin seems like it should be pretty easy for UAs to implement, though.

I thought the idea was to associate the origin of
URL.createObjectURL() with the Blob object (which might be different
from the Blob object's origin). And then for <iframe> etc. only allow
loading "same-origin" blob: URLs.

It seems this could also be achieved via other means, such as scoping
the minted uuids to a particular origin.

And I guess it protects against someone handing you a URL and you
assuming loading that is safe. Again, seems like that could be
achieved by scoped uuids if we think it's desirable.


-- 
http://annevankesteren.nl/
Received on Monday, 12 May 2014 14:47:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC