- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 21 Nov 2013 17:11:06 +0000 (UTC)
- To: Anne van Kesteren <annevk@annevk.nl>
- cc: Daniel Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, 21 Nov 2013, Anne van Kesteren wrote: > On Wed, Nov 20, 2013 at 6:49 PM, Ian Hickson <ian@hixie.ch> wrote: > > Any URL that has the same origin as the incumbent settings object when > > the worker is created should work fine. I don't know what defines the > > origin of blob: URLs, but if they're same-origin URLs, they should > > work fine, per the worker spec. > > How would you define that? If you compute the origin of a URL, > independent of anything else, a blob URL obviously yields a unique > identifier. Why? You can easily define a blob:'s origin as being the origin registered for that blob: URL. It's just a lookup. You could even encode the origin directly into the URL (either opaquely or not), so that it wouldn't need to be expensive to look up. > We can say that when fetched, a blob URL returns an untainted response > (its type is not error), and therefore works. I don't see any reason to hard-code blob: URLs here. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 21 November 2013 17:11:32 UTC