Re: Blob URL Origin

On Thu, May 29, 2014 at 11:42 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> However, I wonder if this at a standards level should come into play
> in the URL parser. After all that creates a structured clone of the
> blob in question. The lookup for the blob ID should probably fail at
> that point meaning it does not really matter when you then try to
> fetch that URL as it will simply not have an associated blob.

I filed a bug https://www.w3.org/Bugs/Public/show_bug.cgi?id=25987 for
this, but it seems worth discussing here.

A blob URL store is already limited to all the origins that can reach
each other through document.domain. So cross-origin blob usage was
already limited per the specification. It seems like what we should do
is instead make this a same-origin store. And then when URLs are
parsed you'd only have access to the same-origin (and *not* effective
origin) blob URL store. In turn that means it does not matter much
whether you put origins in the blob URLs, but I suppose we cold do it
for clarity. It would also make new URL(blobURL).origin work.

What am I missing?


-- 
http://annevankesteren.nl/

Received on Monday, 9 June 2014 07:24:20 UTC