On Fri, May 16, 2014 at 9:11 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
> I think the sad thing is that if you couple origins with blob URLs you > can no longer hand a blob URL to an <iframe>-based widget and let them > play with it. E.g. draw, modify, and hand a URL back for the modified > image. But I guess this is a scenario you explicitly want to outlaw, > even though you could do the equivalent by passing a Blob object > directly and that would always work. > As I recall, when I asked why blob URLs were same-origin only, the answer was that it was uncertain whether all platforms had a good enough PRNG to allow generating securely-unguessable tokens for blob URLs in order to make sure sites can't guess blob URLs for other sites. I don't think that's an issue (if you don't have an entropy source to implement a secure PRNG, you don't even have basic crypto). I think that the same-origin restriction for blob URLs should be removed. -- Glenn Maynard
