On Tue, May 20, 2014 at 2:24 PM, Jonas Sicking <jo...@sicking.cc> wrote:
> Yes, we could demand that that implementations generate unguessable > UUIDs. And then define that a page from http://a.com can use <img > src="blob:http://b.com/uuid">, but if it then used that element to > drawImage into a <canvas>, that the canvas would get tainted. > > But there appears to be very little utility of doing this. Rather than > spending time implementing an unguessable UUID generator, and then > worrying that someone would still accidentally pass a blob: URL where > they shouldn't, I'd rather implement a way to generate a blob: URL > which is explicitly usable cross-origin. But in <img> and in XHR. I.e. > a Blob URL which responds with CORS headers. > It'd be a lot better for blob URLs to act like other resources: either full access (same origin or CORS cross-origin) or limited access cross-origin (usable but taints canvas, can't be read with XHR, etc.) than to block them entirely cross-origin. Generating unguessable tokens (including version 4 UUIDs) is so easy to do that it doesn't make sense to limit the API based on this. -- Glenn Maynard