- From: Brad Hill <hillbrad@fb.com>
- Date: Wed, 19 Nov 2014 22:59:21 +0000
- To: Boris Zbarsky <bzbarsky@mit.edu>, Anne van Kesteren <annevk@annevk.nl>
- CC: WebAppSec WG <public-webappsec@w3.org>
Thanks for the tips! Yes, I'm noticing the same with blobs. If I create a blob and test its origin with new URL(bloburl).origin, I get the containing page's origin, but after I start a worker with it, it reports internally location.origin as null. document.origin is always undefined in both FF and Chrome. Also, event.origin (https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage#The_di spatched_event) is always an empty string for messages from Workers. I guess it's unnecessary on the assumption that channels to Workers are always same-origin, but seems like that might hurt if any kind of non-same-origin Workers are defined? -Brad (putting some more polish on the test matrix and will publish it soon) On 11/19/14, 6:52 AM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote: >On 11/19/14, 2:57 AM, Anne van Kesteren wrote: >> Chrome should return "null" if the blob is sandboxed. Firefox needs to >> update its blob URL story to include the origin in the URL > >That happened a while ago. It's shipping in Firefox 34 in a few weeks. > See https://bugzilla.mozilla.org/show_bug.cgi?id=1058470 > >And if I do this in Firefox: > > var url = URL.createObjectURL(new Blob(["aaa"])) > new URL(url).origin > >I get the expected behavior: it returns the origin of the page the >script is running in. > >However if I then create an iframe with src set to url, wait for it to >load and then get its location.origin, I get "null". Which seems a bit >odd. > >-Boris >
Received on Wednesday, 19 November 2014 22:59:46 UTC