- From: Mike West <mkwst@google.com>
- Date: Tue, 25 Nov 2014 09:26:07 +0100
- To: Brad Hill <hillbrad@fb.com>
- Cc: Mark Nottingham <mnot@mnot.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=eLPsR7bdtAwqxiK=1Q9q_1PK=TdxY8wPNOUBgUYyr3mQ@mail.gmail.com>
On Mon, Nov 24, 2014 at 9:51 PM, Brad Hill <hillbrad@fb.com> wrote: > Maybe this is just a bug, but see Chrome Canary 41 behavior in the > following test: (blob Worker, location.origin) > > https://webappsec-test.info/~bhill2/sandbox/iframe-sbx-as.html > > "Mixed Content: The page at ' > https://webappsec-test.info/~bhill2/sandbox/iframe-sbx-as.html' was > loaded over HTTPS, but requested an insecure Worker script > 'blob:null/ed0a1ba3-bf5a-4f18-9e38-dad7b5b0a9cd'. This request has been > blocked; the content must be served over HTTPS." > > Want to be sure it is clear that a blob created by a secure origin is > itself secure by the algorithm. > Hrm. The origin of the blob is `null`, as the frame it's created in is sandboxed without the `allow-same-origin` flag. If we didn't block it as mixed content (which, I agree, seems odd), we'd block it because it wasn't same-origin with the page (see step #5 of https://html.spec.whatwg.org/multipage/workers.html#dom-worker, and note that unique origins aren't same-origin with anything, including themselves). -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 25 November 2014 08:26:56 UTC