W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Arun Ranganathan <arun@mozilla.com>
Date: Tue, 13 May 2014 14:19:09 -0400
Cc: Web Applications Working Group WG <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>, jonas <jonas@sicking.cc>
Message-Id: <3DC46389-0567-45AD-B45D-DBB033EC07D6@mozilla.com>
To: Anne Van Kesteren <annevk@annevk.nl>
On May 12, 2014, at 8:28 AM, Anne Van Kesteren <annevk@annevk.nl> wrote:

> It still seems a bit sad though to tie these URLs to origins in this
> fashion. Jonas is correct that there are inconsistencies in how data
> URLs and origins behave across browsers, but it seems like we should
> sort those out first then if we want a consistent story.




Since Blobs can be passed around in a number of well-known ways, it seems that the most legitimate origin of a Blob URL is the origin of the script that coined it. I’m not entirely sure how to take action on “it still seems a bit sad” though. Sad because of security considerations? After drying my tears, I can’t construct a meaningful attack, but I’d welcome more information about what benefits are gained by encoding certain “HTTP-reserved” components of URL nomenclature (and here, Chrome is inconsistent between blob: and filesystem:). Sad because of aesthetics? It’s pretty enough for Safari.

And really, all user agents seem to agree that the origin is that of the settings object today. That model seems to work. The remaining question is the pro and con of denoting this in the URL’s syntax. abarth’s advice is to put the syntax horse in front of the origin cart: http://krijnhoetmer.nl/irc-logs/whatwg/20140508#l-913

Also, if it’s “sad” because it doesn’t match data: URL’s way of reckoning origin, that doesn’t seem sad to me. 

— A*
Received on Tuesday, 13 May 2014 18:19:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC