W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: some testing on workers and sandbox

From: Brad Hill <hillbrad@fb.com>
Date: Wed, 19 Nov 2014 22:59:21 +0000
To: Boris Zbarsky <bzbarsky@mit.edu>, Anne van Kesteren <annevk@annevk.nl>
CC: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <D0925F5D.1392%hillbrad@fb.com>
Thanks for the tips!

Yes, I'm noticing the same with blobs.  If I create a blob and test its
origin 
with new URL(bloburl).origin, I get the containing page's origin, but after
I start a worker with it, it reports internally location.origin as null.

document.origin is always undefined in both FF and Chrome.

Also, event.origin
(https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage#The_di

spatched_event) 
is always an empty string for messages from Workers.  I guess it's
unnecessary on the assumption that channels to Workers are always
same-origin, 
but seems like that might hurt if any kind of non-same-origin Workers are
defined?

-Brad

(putting some more polish on the test matrix and will publish it soon)

On 11/19/14, 6:52 AM, "Boris Zbarsky" <bzbarsky@mit.edu> wrote:

>On 11/19/14, 2:57 AM, Anne van Kesteren wrote:
>> Chrome should return "null" if the blob is sandboxed. Firefox needs to
>> update its blob URL story to include the origin in the URL
>
>That happened a while ago.  It's shipping in Firefox 34 in a few weeks.
>  See https://bugzilla.mozilla.org/show_bug.cgi?id=1058470

>
>And if I do this in Firefox:
>
>   var url = URL.createObjectURL(new Blob(["aaa"]))
>   new URL(url).origin
>
>I get the expected behavior: it returns the origin of the page the
>script is running in.
>
>However if I then create an iframe with src set to url, wait for it to
>load and then get its location.origin, I get "null".  Which seems a bit
>odd.
>
>-Boris
>

Received on Wednesday, 19 November 2014 22:59:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC