Re: Blob URL Origin

On Tue, May 20, 2014 at 9:24 PM, Jonas Sicking <> wrote:
> I think you are confusing issues. Or at least talking about two
> separate issues at once in a way that I'm not sure what you are
> talking about. The issue of "is there an XSS issue with treated blob:
> like we treat data:" is a separate issue from "should we treat
> cross-origin blob: like cross-origin http:, i.e. should we allow
> pointing an <img> to a cross-origin blob:".

Sure, I'm still at the "is there an XSS issue" here given that we can
pass Blob objects around without restrictions.

> I had hoped that we had settled the former and decided that blob:
> should not be treated as data:. And I think we've also decided that we
> should use the explicit origin syntax, i.e. something like
> "blob:"

I'm not quite there yet. In part it seems this design stems from the
fact that we cannot create unique enough IDs. My question was if
things change if we did create unique enough IDs as it seems we are
designing something around a rather artificial limitation.


Received on Wednesday, 21 May 2014 11:00:25 UTC