Address space inheritance for blob URLs #18
Comments
|
I tend to agree. What we care about is the provenance of the content, so the blob you describe should not behave differently from the page that created it. |
|
I was going to post an update here, but I think this issue is actually simply superseded by #27. TL;DR: I think we should inherit the address space of the blob URL creator context. |
|
Re-opening this to track longer term work, blocked upstream by w3c/FileAPI#142. We want to implement the inheritance laid out in the previous comment, but cannot do so until the Blob URL store can capture policies at URL creation time. |
letitz
changed the title
|
This issue is fixed via integration with HTML's new policy container, added in 4627c13. Implementation work to match the spec should not be tracked here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If a loopback or local frame creates and iframes a blob URL, then what should be the behavior of the subframe wrt cors-rfc1918? I think all frames with origin X (e.g. https://intranet.corp.example.com) should behave consistently and therefore I expect the same cors-rfc1918 behavior for both 1) https://intranet.corp.example.com and 2) blob:https://intranet.corp.example.com/some-guid.
The text was updated successfully, but these errors were encountered: