On Sat, Mar 30, 2013 at 1:42 AM, Jonas Sicking <jo...@sicking.cc> wrote: > The reason that data: is relevant there is that blob: is proposed to behave > the same as data:.
So the way a CORS fetch works in HTML is that it special cases data URLs and about:blank to be in the same category as same-origin URLs. XMLHttpRequest does the same for data URLs, and workers does something similar too. http://fetch.spec.whatwg.org/ will unify this. If we add blob URLs to that list they would be considered CORS same-origin. We still need to add something though that ensures that data URLs and blob URLs are not considered same-origin after a redirect. -- http://annevankesteren.nl/