W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Brad Hill <hillbrad@fb.com>
Date: Wed, 19 Nov 2014 22:59:21 +0000
To: Boris Zbarsky <bzbarsky@mit.edu>, Anne van Kesteren <annevk@annevk.nl>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <D0925F5D.1392%hillbrad@fb.com>
Thanks for the tips!

Yes, I'm noticing the same with blobs.  If I create a blob and test its
with new URL(bloburl).origin, I get the containing page's origin, but after
I start a worker with it, it reports internally location.origin as null.

document.origin is always undefined in both FF and Chrome.

Also, event.origin

is always an empty string for messages from Workers.  I guess it's
unnecessary on the assumption that channels to Workers are always
but seems like that might hurt if any kind of non-same-origin Workers are


(putting some more polish on the test matrix and will publish it soon)

On 11/19/14, 6:52 AM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote:

>On 11/19/14, 2:57 AM, Anne van Kesteren wrote:
>> Chrome should return "null" if the blob is sandboxed. Firefox needs to
>> update its blob URL story to include the origin in the URL
>That happened a while ago.  It's shipping in Firefox 34 in a few weeks.
>  See https://bugzilla.mozilla.org/show_bug.cgi?id=1058470

>And if I do this in Firefox:
>   var url = URL.createObjectURL(new Blob(["aaa"]))
>   new URL(url).origin
>I get the expected behavior: it returns the origin of the page the
>script is running in.
>However if I then create an iframe with src set to url, wait for it to
>load and then get its location.origin, I get "null".  Which seems a bit

Received on Wednesday, 19 November 2014 22:59:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC