On Mon, May 12, 2014 at 4:31 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 5/12/14, 5:28 AM, Anne van Kesteren wrote: >> so blob:https://origin:42/uuid would be fine. > > I'd really rather we didn't make web pages parse these strings to get the > origin. A static method on Blob that takes a valid blob: URI and returns > its origin seems like it should be pretty easy for UAs to implement, though. I thought the idea was to associate the origin of URL.createObjectURL() with the Blob object (which might be different from the Blob object's origin). And then for <iframe> etc. only allow loading "same-origin" blob: URLs. It seems this could also be achieved via other means, such as scoping the minted uuids to a particular origin. And I guess it protects against someone handing you a URL and you assuming loading that is safe. Again, seems like that could be achieved by scoped uuids if we think it's desirable. -- http://annevankesteren.nl/Received on Monday, 12 May 2014 14:47:00 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC