- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 9 Jun 2014 09:23:53 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Thu, May 29, 2014 at 11:42 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > However, I wonder if this at a standards level should come into play > in the URL parser. After all that creates a structured clone of the > blob in question. The lookup for the blob ID should probably fail at > that point meaning it does not really matter when you then try to > fetch that URL as it will simply not have an associated blob. I filed a bug https://www.w3.org/Bugs/Public/show_bug.cgi?id=25987 for this, but it seems worth discussing here. A blob URL store is already limited to all the origins that can reach each other through document.domain. So cross-origin blob usage was already limited per the specification. It seems like what we should do is instead make this a same-origin store. And then when URLs are parsed you'd only have access to the same-origin (and *not* effective origin) blob URL store. In turn that means it does not matter much whether you put origins in the blob URLs, but I suppose we cold do it for clarity. It would also make new URL(blobURL).origin work. What am I missing? -- http://annevankesteren.nl/
Received on Monday, 9 June 2014 07:24:20 UTC