- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 19 Nov 2014 08:57:22 +0100
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 2:30 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > That's because location.origin seems to be defined as the origin of the > location URL, not the origin of the document... Note that document.origin exists these days, but I'm not sure if it's widely implemented yet. > Well, no "window". But self.URL.createObjectURL or just URL.createObjectURL > should work in Firefox 21 and newer. And seems to work fine for starting a > sub-Worker too. See > <http://web.mit.edu/bzbarsky/www/testcases/workers/test-worker-from-blob-in-worker.html>. > >> Otherwise, they agree pretty well, except that Chrome reports the >> location.origin of a blob created with allow-same-origin as the >> origin of the creating page, or the string "://" if from a >> sandboxed origin, and Firefox always reports location.origin of a >> blob as "null". > > Hmm. There were some recent spec changes in this area; I don't recall what > the right behavior here is nowadays. It's possible that one or both are > buggy (e.g. I doubt "://" is ever a valid origin). Chrome should return "null" if the blob is sandboxed. Firefox needs to update its blob URL story to include the origin in the URL (and then use that embedded origin as appropriate in places). -- https://annevankesteren.nl/
Received on Wednesday, 19 November 2014 07:57:49 UTC