W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 9 Jun 2014 09:23:53 +0200
Message-ID: <CADnb78jJ1KLdrBBXbFzZDFOyaCdWUkehdYmPyHx7_rquy9-8Ug@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Thu, May 29, 2014 at 11:42 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> However, I wonder if this at a standards level should come into play
> in the URL parser. After all that creates a structured clone of the
> blob in question. The lookup for the blob ID should probably fail at
> that point meaning it does not really matter when you then try to
> fetch that URL as it will simply not have an associated blob.

I filed a bug https://www.w3.org/Bugs/Public/show_bug.cgi?id=25987 for
this, but it seems worth discussing here.

A blob URL store is already limited to all the origins that can reach
each other through document.domain. So cross-origin blob usage was
already limited per the specification. It seems like what we should do
is instead make this a same-origin store. And then when URLs are
parsed you'd only have access to the same-origin (and *not* effective
origin) blob URL store. In turn that means it does not matter much
whether you put origins in the blob URLs, but I suppose we cold do it
for clarity. It would also make new URL(blobURL).origin work.

What am I missing?

Received on Monday, 9 June 2014 07:24:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:25 UTC