On Mar 26, 2013, at 8:30 PM, Jonas Sicking wrote: > On Tue, Mar 26, 2013 at 2:17 PM, Anne van Kesteren <ann...@annevk.nl> wrote: >> Hi, >> >> Is there any particular reason why we restrict blob URLs to the same >> origin as the script that created them? In effect they are pretty much >> like capability URLs (containing an unguessable token). So if someone >> decides to share one, that should be okay I think. This would be >> useful in the context of sandboxed code (<iframe sandbox>) and >> presumably elsewhere too. > > I think the original concern was that implementations might not be > able to reliably generate unguessable URLs. Potentially that's > something that we could require though.
We already require this -- "opaque strings" should be globally unique. > > However we'd still need to nail down what the new behavior should be. > Should it behave like data: URLs? The main advantage of those is that > implementations still don't agree on how those should behave. They're very different than data URLs. What's a good use case for making them cross-origin, that isn't addressed by use of postMessage? -- A*