W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 21 May 2014 12:59:57 +0200
Message-ID: <CADnb78jTz0NHfd8Q_eZaSEt1u12qyQvDk0_oTxQmUjS_hoi0xg@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Tue, May 20, 2014 at 9:24 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> I think you are confusing issues. Or at least talking about two
> separate issues at once in a way that I'm not sure what you are
> talking about. The issue of "is there an XSS issue with treated blob:
> like we treat data:" is a separate issue from "should we treat
> cross-origin blob: like cross-origin http:, i.e. should we allow
> pointing an <img> to a cross-origin blob:".

Sure, I'm still at the "is there an XSS issue" here given that we can
pass Blob objects around without restrictions.

> I had hoped that we had settled the former and decided that blob:
> should not be treated as data:. And I think we've also decided that we
> should use the explicit origin syntax, i.e. something like
> "blob:http://example.com/uuid"

I'm not quite there yet. In part it seems this design stems from the
fact that we cannot create unique enough IDs. My question was if
things change if we did create unique enough IDs as it seems we are
designing something around a rather artificial limitation.

Received on Wednesday, 21 May 2014 11:00:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC