W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 19 May 2014 11:00:15 +0200
Message-ID: <CADnb78hPTea-WT4EXKcWwonF5mxgmSgb75D9S16Eo9zNerdTig@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Mon, May 19, 2014 at 10:30 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> In at least Chrome and Firefox, blob: acts like filesystem: and can't
> be loaded cross-origin. Even in cases when we normally permit loading
> of cross-origin resources like in <img> and <script>.
> This has been to prevent websites from being able to steal data by
> guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to
> produce unguessable UUIDs).
> So the question of <canvas> tainting doesn't really come into play,
> since you can't even load the cross-origin blob: into an image and
> draw it into the canvas.

Again fair, but do we consider that something we want to fix or do we
want to enshrine this?

Received on Monday, 19 May 2014 09:00:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC