On Thu, May 29, 2014 at 11:42 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > However, I wonder if this at a standards level should come into play > in the URL parser. After all that creates a structured clone of the > blob in question. The lookup for the blob ID should probably fail at > that point meaning it does not really matter when you then try to > fetch that URL as it will simply not have an associated blob.
I filed a bug https://www.w3.org/Bugs/Public/show_bug.cgi?id=25987 for this, but it seems worth discussing here. A blob URL store is already limited to all the origins that can reach each other through document.domain. So cross-origin blob usage was already limited per the specification. It seems like what we should do is instead make this a same-origin store. And then when URLs are parsed you'd only have access to the same-origin (and *not* effective origin) blob URL store. In turn that means it does not matter much whether you put origins in the blob URLs, but I suppose we cold do it for clarity. It would also make new URL(blobURL).origin work. What am I missing? -- http://annevankesteren.nl/