- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 25 Nov 2013 18:03:02 +0000 (UTC)
- To: Anne van Kesteren <annevk@annevk.nl>
- cc: Daniel Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, 25 Nov 2013, Anne van Kesteren wrote: > On Thu, Nov 21, 2013 at 5:11 PM, Ian Hickson <ian@hixie.ch> wrote: > > Why? You can easily define a blob:'s origin as being the origin > > registered for that blob: URL. It's just a lookup. You could even > > encode the origin directly into the URL (either opaquely or not), so > > that it wouldn't need to be expensive to look up. > > That's an interesting model, but doesn't match the one written down: > https://tools.ietf.org/html/rfc6454#section-4 > > In addition, I'm not sure we want blob URLs to have an associated > origin. I think they should always be same-origin if you are holding > one. As the guy who originally designed that algorithm: it wasn't ever intended that that algorithm be the final say on a URL's origin. It's just the default. There's already an exception for "file:" in step 4, we could easily add other exceptions. (In particular, I expect we would have to for a zip-based scheme, if we had one, for instance.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 25 November 2013 18:03:24 UTC