Re: Blob URL Origin

On Fri, May 16, 2014 at 9:11 AM, Anne van Kesteren <> wrote:

> I think the sad thing is that if you couple origins with blob URLs you
can no longer hand a blob URL to an <iframe>-based widget and let them
> play with it. E.g. draw, modify, and hand a URL back for the modified
> image. But I guess this is a scenario you explicitly want to outlaw,
> even though you could do the equivalent by passing a Blob object
> directly and that would always work.

As I recall, when I asked why blob URLs were same-origin only, the answer
was that it was uncertain whether all platforms had a good enough PRNG to
allow generating securely-unguessable tokens for blob URLs in order to make
sure sites can't guess blob URLs for other sites.  I don't think that's an
issue (if you don't have an entropy source to implement a secure PRNG, you
don't even have basic crypto).  I think that the same-origin restriction
for blob URLs should be removed.

Glenn Maynard

Received on Friday, 16 May 2014 15:10:37 UTC