On Thu, May 22, 2014 at 1:29 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > For blob URLs (and prolly filesystem and indexeddb) we put the origin > in the URL and define a way to extract it again so new > URL(blob).origin does the right thing.
Yup. > For fetching blob URLs (and prolly filesystem and indexeddb) we > effectively act as if the request's mode was same-origin. Allowing > tainted cross-origin requests would complicate UUID (for the UA) and > memory (for the page) management in a multiprocess environment. Hmm.. I think that is effectively it yes. I.e. even though <img> says that it wants to permit cross-origin loads, we'd override that if the fetch is for a blob: URL and only permit same-origin loads. Is that what you mean? / Jonas