W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Arun Ranganathan <arun@mozilla.com>
Date: Wed, 28 May 2014 17:43:35 -0400
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <B4550720-4509-4C27-9D5D-8E9E73069E47@mozilla.com>
To: Anne van Kesteren <annevk@annevk.nl>
On May 22, 2014, at 4:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Thanks, I'm convinced.
> So now I'd like to know what policy we want so we can carefully define it.

The lastest editor’s draft of the File API specifies what we discussed in this email thread as syntax for Blob URLs:


and origin, including how to serialize the Blob URL.

> For blob URLs (and prolly filesystem and indexeddb) we put the origin
> in the URL and define a way to extract it again so new
> URL(blob).origin does the right thing.

I wonder if .origin should be static?

> For fetching blob URLs (and prolly filesystem and indexeddb) we
> effectively act as if the request's mode was same-origin. Allowing
> tainted cross-origin requests would complicate UUID (for the UA) and
> memory (for the page) management in a multiprocess environment.

We’re not allowing them.

— A*

Received on Wednesday, 28 May 2014 21:44:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC