- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Wed, 19 Nov 2014 09:52:16 -0500
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: WebAppSec WG <public-webappsec@w3.org>
On 11/19/14, 2:57 AM, Anne van Kesteren wrote: > Chrome should return "null" if the blob is sandboxed. Firefox needs to > update its blob URL story to include the origin in the URL That happened a while ago. It's shipping in Firefox 34 in a few weeks. See https://bugzilla.mozilla.org/show_bug.cgi?id=1058470 And if I do this in Firefox: var url = URL.createObjectURL(new Blob(["aaa"])) new URL(url).origin I get the expected behavior: it returns the origin of the page the script is running in. However if I then create an iframe with src set to url, wait for it to load and then get its location.origin, I get "null". Which seems a bit odd. -Boris
Received on Wednesday, 19 November 2014 14:52:46 UTC