Re: Blob URL Origin from Glenn Maynard on 2014-05-19 (public-webapps@w3.org from April to June 2014)

From: Glenn Maynard <glenn@zewt.org>
Date: Mon, 19 May 2014 17:32:41 -0500
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@annevk.nl>, Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
Message-ID: <CABirCh_gbZF=juuUEELrLVqoM8Wu-jhAoTH7RPv5eibrXRLnig@mail.gmail.com>

On Mon, May 19, 2014 at 3:30 AM, Jonas Sicking <jonas@sicking.cc> wrote:

> In at least Chrome and Firefox, blob: acts like filesystem: and can't
>
be loaded cross-origin. Even in cases when we normally permit loading
> of cross-origin resources like in <img> and <script>.
>
> This has been to prevent websites from being able to steal data by
> guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to
> produce unguessable UUIDs).
>

Again, generating securely unguessable tokens (whether in UUID format or
not) is straightforward, so this seems doesn't seem like a reason to block
cross-origin blob URLs.

-- 
Glenn Maynard

Received on Monday, 19 May 2014 22:33:08 UTC