[whatwg] Same origin - Blob and FileSystem URLs

Adam Barth w3c at adambarth.com
Fri Oct 14 01:45:49 PDT 2011


2011/10/12 Bronislav Klučka <Bronislav.Klucka at bauglir.com>:
> On 12.10.2011 16:32, Kyle Huey wrote:
>>
>> 2011/10/12 Bronislav Klučka<Bronislav.Klucka at bauglir.com>
>>
>>> Hello
>>> Certain parts of spesc are covering how to work with resources identified
>>> by URL and same-origin issue (download attribute, canvas)
>>> looking at same-origin algorithm
>>> http://www.whatwg.org/specs/**web-apps/current-work/**
>>>
>>> multipage/origin-0.html#same-**origin<http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin>
>>> I'm wondering about Blob URL and FileSystem API URL. Those are not
>>> conventional URL but they are named as "URL" and one can work with them
>>> the
>>> same as with regular URL. How does the same-origin policy apply to those
>>> URLs?
>>>
>>> Bronislav Klucka
>>>
>>>
>> Per spec, Blob URIs are same origin with the script that created them.
>>  See
>> http://dev.w3.org/2006/webapi/FileAPI/#originOfBlob
>>
>> - Kyle
>
> May I assume that
> http://www.w3.org/TR/file-system-api/#widl-Entry-toURL
> is also the same-origin as the originator script origin?

Technically, they're same-origin with the storage area that stores the
file.  Under normal circumstances, that will be the same as the script
that calls that API, but it's not always the same.

Adam



More information about the whatwg mailing list