W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 19 Nov 2014 08:57:22 +0100
Message-ID: <CADnb78hYLrGS4SKVTSHW_awhEf8JxY0JNsSTfAizHYuPQExp=Q@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Nov 19, 2014 at 2:30 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> That's because location.origin seems to be defined as the origin of the
> location URL, not the origin of the document...

Note that

  document.origin

exists these days, but I'm not sure if it's widely implemented yet.


> Well, no "window".  But self.URL.createObjectURL or just URL.createObjectURL
> should work in Firefox 21 and newer.  And seems to work fine for starting a
> sub-Worker too.  See
> <http://web.mit.edu/bzbarsky/www/testcases/workers/test-worker-from-blob-in-worker.html>.
>
>>         Otherwise, they agree pretty well, except that Chrome reports the
>>         location.origin of a blob created with allow-same-origin as the
>>         origin of the creating page, or the string "://" if from a
>>         sandboxed origin, and Firefox always reports location.origin of a
>>         blob as "null".
>
> Hmm.  There were some recent spec changes in this area; I don't recall what
> the right behavior here is nowadays.  It's possible that one or both are
> buggy (e.g. I doubt "://" is ever a valid origin).

Chrome should return "null" if the blob is sandboxed. Firefox needs to
update its blob URL story to include the origin in the URL (and then
use that embedded origin as appropriate in places).


-- 
https://annevankesteren.nl/
Received on Wednesday, 19 November 2014 07:57:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC