W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 19 Nov 2014 09:52:16 -0500
Message-ID: <546CAEA0.7030704@mit.edu>
To: Anne van Kesteren <annevk@annevk.nl>
CC: WebAppSec WG <public-webappsec@w3.org>
On 11/19/14, 2:57 AM, Anne van Kesteren wrote:
> Chrome should return "null" if the blob is sandboxed. Firefox needs to
> update its blob URL story to include the origin in the URL

That happened a while ago.  It's shipping in Firefox 34 in a few weeks. 
  See https://bugzilla.mozilla.org/show_bug.cgi?id=1058470

And if I do this in Firefox:

   var url = URL.createObjectURL(new Blob(["aaa"]))
   new URL(url).origin

I get the expected behavior: it returns the origin of the page the 
script is running in.

However if I then create an iframe with src set to url, wait for it to 
load and then get its location.origin, I get "null".  Which seems a bit odd.

-Boris
Received on Wednesday, 19 November 2014 14:52:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC