On Mon, May 19, 2014 at 3:30 AM, Jonas Sicking <jo...@sicking.cc> wrote:
> In at least Chrome and Firefox, blob: acts like filesystem: and can't > be loaded cross-origin. Even in cases when we normally permit loading > of cross-origin resources like in <img> and <script>. > > This has been to prevent websites from being able to steal data by > guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to > produce unguessable UUIDs). > Again, generating securely unguessable tokens (whether in UUID format or not) is straightforward, so this seems doesn't seem like a reason to block cross-origin blob URLs. -- Glenn Maynard