Re: Blob URL Origin from Jonas Sicking on 2014-05-29 (public-webapps@w3.org from April to June 2014)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 28 May 2014 23:38:59 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
Message-ID: <CA+c2ei9EOWimN7eSuN7BbE_o9ucBBzyWLS2c+idSqscWVmMW0w@mail.gmail.com>

On Thu, May 22, 2014 at 1:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> For blob URLs (and prolly filesystem and indexeddb) we put the origin
> in the URL and define a way to extract it again so new
> URL(blob).origin does the right thing.

Yup.

> For fetching blob URLs (and prolly filesystem and indexeddb) we
> effectively act as if the request's mode was same-origin. Allowing
> tainted cross-origin requests would complicate UUID (for the UA) and
> memory (for the page) management in a multiprocess environment.

Hmm.. I think that is effectively it yes. I.e. even though <img> says
that it wants to permit cross-origin loads, we'd override that if the
fetch is for a blob: URL and only permit same-origin loads. Is that
what you mean?

/ Jonas

Received on Thursday, 29 May 2014 06:39:57 UTC