Re: Blob URL Origin

On May 12, 2014 8:57 AM, "Arun Ranganathan" <arun@mozilla.com> wrote:
> On May 12, 2014, at 10:31 AM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:
>
> > On 5/12/14, 5:28 AM, Anne van Kesteren wrote:
> >> so blob:https://origin:42/uuid would be fine.
> >
> > I'd really rather we didn't make web pages parse these strings to get
the origin.  A static method on Blob that takes a valid blob: URI and
returns its origin seems like it should be pretty easy for UAs to
implement, though.
>
>
> We actually aren't obliging web pages parse these strings to get the
origin. In fact, blob: URL strings shouldn't even be of interest to web
pages. They aren't today, and I don't envision them being of interest even
with "origin tagging." That is, I can't think of why exactly a web
developer would want to look into the blob: URL strings. UA's should just
"do the right thing" once a Blob URL is coined.

I suspect that some pages will want to check the origin of a url before
firing off a load to it. For example complex app frameworks like facebook's.

However I agree that this wont be a core use case. So not something to
worry too much about.

The strongest reason I could see for doing anything here is that when it
comes to security it is extra important to en courage people to not do the
wrong thing.

Though, would simply `URL(url).origin` work? If so that might be enough.

/ Jonas

Received on Monday, 12 May 2014 16:59:11 UTC