- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 20 May 2014 10:28:23 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Mon, May 19, 2014 at 9:57 PM, Jonas Sicking <jonas@sicking.cc> wrote: > On Mon, May 19, 2014 at 2:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> Again fair, but do we consider that something we want to fix or do we >> want to enshrine this? > > Given that there's no way to set CORS headers on these (yet), I think > there's very limited value in allowing them to be read cross-origin. I meant fixing not generating unique enough IDs. The way I see it such a URL is effectively a capability URL (given a unique enough ID) and at that point it should not be that different from handing out a Blob object across origins. The perceived danger is apparently people sticking these URLs in things sans sandboxing and shooting themselves in the foot. So it seems reasonable to treat such URLs as cross-origin for <iframe> and workers (CSP's child-src), but for <canvas> that does not seem that clear. -- http://annevankesteren.nl/
Received on Tuesday, 20 May 2014 08:28:51 UTC