You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Let's say there's a worker created from a data: URL in a secure context. That worker creates a blob: URL and tries to create a nested worker out of that URL. Should that be blocked as mixed content? In other words, should the blob: URL be considered potentially trustworthy?
From the data worker: postMessaging to a dedicated blob sub-worker allows them to see each others' modifications test in [1], Firefox doesn't block the above as mixed content, but other browsers do.
I think the current spec says the blob: URL is not trustworthy, because [2] says
Note: The origin of `blob:` URLs is the origin of the context in which they were created. Therefore, blobs created in a trustworthy origin will themselves be potentially trustworthy.
Since workers created from a data: URL has a unique opaque origin [3], and opaque origins are not trustworthy [4], this blob: URL should not be considered potentially trustworthy.
However, since this blob is created in a secure context, and blob objects are immutable, it feels like we should be able to trust this URL to deliver data securely. Should we consider updating the spec to make blob: URLs potentially trustworthy if their creator context is secure?
Let's say there's a worker created from a
data:
URL in a secure context. That worker creates ablob:
URL and tries to create a nested worker out of that URL. Should that be blocked as mixed content? In other words, should theblob:
URL be considered potentially trustworthy?From the
data worker: postMessaging to a dedicated blob sub-worker allows them to see each others' modifications
test in [1], Firefox doesn't block the above as mixed content, but other browsers do.I think the current spec says the
blob:
URL is not trustworthy, because [2] saysSince workers created from a
data:
URL has a unique opaque origin [3], and opaque origins are not trustworthy [4], thisblob:
URL should not be considered potentially trustworthy.However, since this blob is created in a secure context, and blob objects are immutable, it feels like we should be able to trust this URL to deliver data securely. Should we consider updating the spec to make
blob:
URLs potentially trustworthy if their creator context is secure?[1] https://wpt.fyi/results/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html?label=master&label=experimental&aligned&q=html%2Finfrastructure%2Fsafe-passing-of-structured-data%2Fshared-array-buffers%2Fblob-data.https.html
[2] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
[3] https://html.spec.whatwg.org/multipage/workers.html#set-up-a-worker-environment-settings-object
[4] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
The text was updated successfully, but these errors were encountered: