W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 29 May 2014 11:42:28 +0200
Message-ID: <CADnb78jRkUDitph6j8EmSC51hn1wzgUYjENVRAfZQD0fbCyh4Q@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Thu, May 29, 2014 at 8:38 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Thu, May 22, 2014 at 1:29 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> For fetching blob URLs (and prolly filesystem and indexeddb) we
>> effectively act as if the request's mode was same-origin. Allowing
>> tainted cross-origin requests would complicate UUID (for the UA) and
>> memory (for the page) management in a multiprocess environment.
>
> Hmm.. I think that is effectively it yes. I.e. even though <img> says
> that it wants to permit cross-origin loads, we'd override that if the
> fetch is for a blob: URL and only permit same-origin loads. Is that
> what you mean?

Yes.

However, I wonder if this at a standards level should come into play
in the URL parser. After all that creates a structured clone of the
blob in question. The lookup for the blob ID should probably fail at
that point meaning it does not really matter when you then try to
fetch that URL as it will simply not have an associated blob.


-- 
http://annevankesteren.nl/
Received on Thursday, 29 May 2014 09:42:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC