- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 12 May 2014 16:46:32 +0200
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WebApps WG <public-webapps@w3.org>
On Mon, May 12, 2014 at 4:31 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 5/12/14, 5:28 AM, Anne van Kesteren wrote: >> so blob:https://origin:42/uuid would be fine. > > I'd really rather we didn't make web pages parse these strings to get the > origin. A static method on Blob that takes a valid blob: URI and returns > its origin seems like it should be pretty easy for UAs to implement, though. I thought the idea was to associate the origin of URL.createObjectURL() with the Blob object (which might be different from the Blob object's origin). And then for <iframe> etc. only allow loading "same-origin" blob: URLs. It seems this could also be achieved via other means, such as scoping the minted uuids to a particular origin. And I guess it protects against someone handing you a URL and you assuming loading that is safe. Again, seems like that could be achieved by scoped uuids if we think it's desirable. -- http://annevankesteren.nl/
Received on Monday, 12 May 2014 14:47:00 UTC