- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 19 May 2014 11:00:15 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Mon, May 19, 2014 at 10:30 AM, Jonas Sicking <jonas@sicking.cc> wrote: > In at least Chrome and Firefox, blob: acts like filesystem: and can't > be loaded cross-origin. Even in cases when we normally permit loading > of cross-origin resources like in <img> and <script>. > > This has been to prevent websites from being able to steal data by > guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to > produce unguessable UUIDs). > > So the question of <canvas> tainting doesn't really come into play, > since you can't even load the cross-origin blob: into an image and > draw it into the canvas. Again fair, but do we consider that something we want to fix or do we want to enshrine this? -- http://annevankesteren.nl/
Received on Monday, 19 May 2014 09:00:45 UTC