- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 19 May 2014 12:57:48 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Mon, May 19, 2014 at 2:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, May 19, 2014 at 10:30 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> In at least Chrome and Firefox, blob: acts like filesystem: and can't >> be loaded cross-origin. Even in cases when we normally permit loading >> of cross-origin resources like in <img> and <script>. >> >> This has been to prevent websites from being able to steal data by >> guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to >> produce unguessable UUIDs). >> >> So the question of <canvas> tainting doesn't really come into play, >> since you can't even load the cross-origin blob: into an image and >> draw it into the canvas. > > Again fair, but do we consider that something we want to fix or do we > want to enshrine this? Given that there's no way to set CORS headers on these (yet), I think there's very limited value in allowing them to be read cross-origin. We could look at enabling developers to opting in to generating a URI which can be read cross-origin, at which point it could generate a URI which can be read by a developer-chosen set of origins. But I'd prefer to keep the default behavior closed. / Jonas
Received on Monday, 19 May 2014 19:58:46 UTC