W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 19 May 2014 01:30:19 -0700
Message-ID: <CA+c2ei-kE6y69Ew6ywsk28840CVD-aqb0QmYz75O1uLzTrQwVw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Sun, May 18, 2014 at 6:38 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Sat, May 17, 2014 at 12:22 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>> And I agree with them. The fact that <iframe>s end up same-origin
>> makes it easier to XSS a website by tricking it to load a URL of the
>> attackers choice in an iframe. Or open a worker using a URL of the
>> attackers choice.
>
> I guess that is fair. Should a cross-origin blob URL taint the <canvas>?

In at least Chrome and Firefox, blob: acts like filesystem: and can't
be loaded cross-origin. Even in cases when we normally permit loading
of cross-origin resources like in <img> and <script>.

This has been to prevent websites from being able to steal data by
guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to
produce unguessable UUIDs).

So the question of <canvas> tainting doesn't really come into play,
since you can't even load the cross-origin blob: into an image and
draw it into the canvas.

/ Jonas
Received on Monday, 19 May 2014 08:31:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC