On Jun 10, 2014, at 2:57 AM, Anne van Kesteren <[email protected]> wrote:
> On Tue, Jun 10, 2014 at 12:16 AM, Arun Ranganathan <[email protected]> wrote: >> Right now, the Blob URL Store is defined in terms of units of similar-origin >> browsing contexts; each unit is required to have a Blob URL Store. As you >> point out, that allows all origins within document.domain access to a given >> Blob URL Store. > > Yeah, so unlike what the discussion claimed thus far, we did not in > fact allow that much cross-origin blob URL usage. Only origins within > the document.domain reach. > > >> 1. Require that entries in the Blob URL Store also store origin > > I thought this was the idea. The "identifier" would be > "http://someorigin:70/uuid”. Yes; there was some discussion about tuples vs. strings on IRC, but I think one leads to the other, and we can define how to extract the origin from a parsed Blob URL in terms of another use of the URL Parser instead of string parsing. > >> 2. Define it strictly as a same-origin store. I’m a bit fuzzy on how exactly >> to define this; for instance, strictly the origin and not the effective >> script origin of a Document? > > We could say that the store is bound to a global object. And then both > URL.createObjectURL() and places that parse URLs hook into the entry > setting object's global object's blob URL store. > > At that point the only benefit of putting the origin into the URL is > so that new URL(blob).origin works. This seems right; I think it would be rare that a developer would need to check origin, but it’s been pointed out that there some use cases for that. It seems better to introduce a method that doesn’t require creating a new object, but I don’t feel strongly about it. > Something that is still unclear to me is what happens when you > navigate to a blob URL. I guess that still technically works as the > URL parsing would happen within the correct global. If URL parsing doesn’t occur within the correct global, a network error will be the result, since there won’t be a corresponding entry in the Blob URL store that matches the identifier. So I think this sounds workable. — A*
