I was looking at SecurityOrigin.cpp today and I saw a bunch of code relating to Blob URLs. I don't really understand why this code is correct. Would someone be willing to explain it to me?
Some specific questions: 1) Why do blob URLs get exception from the unique origin check? How does that interact with the HTML5 sandboxing model? 2) Why does SecurityOrigin::canLoad take a document as an argument? What are the semantics of this parameter? In particular, why does a SecurityOrigin::canLoad ignore |this| when called with a document argument on a blob URL? That seems like a very bad idea. In general, I'd prefer if folks checked with Sam or me before adding loopholes in SecurityOrigin. Although the class might appear simple, it's quite subtle. Adam _______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
