Timothy Chien

Looks like there is no way to generate a usable, “origin isolated” Blob URL? I need it to serve untrusted, client-side generated user content (1), and I wish I can show the raw URL (to download or open in a new tab etc) w/o any risks.

Right now that is not possible. I lost control as soon as the object URL is exposed; I can’t contain it in a sandboxed iframe nor enforce CSP directives (2).

Is this a gap in Web API?

1) can’t use cookie-less host
2) Chrome does that in an unspecified way?

Jun 19, 2025 at 10:54pmMastodon for iOS
Show threadAndrew Sutherland (vis.socialJun 19, 2025
@timdream I'm not sure I fully understand what you're proposing, but you should be able to use createObjectURL from an opaque origin such as a sandboxed iframe (where "allow-scripts" is specified but not "allow-same-origin") to get a blob URL that is associated with that opaque origin. The blob will then look like "blob:null/54768f54-dcbe-4bf3-93eb-75d3a843f008".
Show threadTimothy ChienJun 19, 2025
@asutherland I did, the null-origin URL is not usable for triggering navigation nor download in the original page. I got SecurityError that prevents me from accessing “local resource”.
Show threadAndrew Sutherland (vis.socialJun 19, 2025
@timdream At least in Firefox (and I think the intent behind the spec text at https://w3c.github.io/FileAPI/#partitioningOfBlobUrls about navigations) was that if you manually navigate/open a new tab with a blob URL (copy a link, and paste it into the URL bar; or right-click on the blob URL link and select open in new tab), it works (and we relax the same-agent-cluster policy that maybe comes from other spec text). I'm hazy on where we are in regards to our impl and spec plans for that.
File API

Show threadAndrew Sutherland (vis.socialJun 19, 2025
@timdream I should note that a major meta problem with everything in this space is just that all the interesting good actor use-cases are also incredibly attractive to bad-actors. And in many cases (like the VS code case), she solution is just to work with the origin security model of the web and host things on distinct (sub)domains (potentially leveraging the public suffix list). Because that's also then legible to at least some users as to what's going on.
Show threadTimothy ChienJun 20, 2025
@asutherland Yeah I get that, thanks for the help! I figured as soon as I devise a solution involving postMessage'ing Blob and object URLs between frames, the behavior is going to be uneven and under-spec'd.
Show threadAndrew Sutherland (vis.socialJun 20, 2025
@timdream For postMessage-ing Blobs between frames (and across origins) I think there's nothing to worry about. I think the spec has caught up with reality and is now consistent for object URLs; same agent cluster, same storage key/partition (https://w3c.github.io/FileAPI/#partitioningOfBlobUrls), but implementations may still be lagging. The safest thing to do with blob URLs though is to do what the spec originally intended was only use them in the document you create them in (or for a worker created from that doc).
File API

Show threadTimothy ChienJun 20, 2025

@asutherland Good to know that the spec is complete! I will wait for the implementations to catch up :)

Since we are talking: I am not convinced that cookie-less user content domains are safe... at least not really safe unless you can put it on PSL. PSL can't scale for every app out there either.

It is therefore better if implementations can allow applications to create null origin object URLs explicitly. Maybe even with a sugar syntax like URL.createObjectURL(blob, options).

Show threadAndrew Sutherland (vis.socialJun 19, 2025

@timdream That said, I think frequently what people want is a situation like that provided by Web Extension content scripts (or privileged system code in Firefox or Thunderbird), and that is not provided by the web platform yet, but I think Shadow Realms (https://github.com/tc39/proposal-shadowrealm/blob/main/explainer.md) is the closest thing right now.

https://github.com/w3c/ServiceWorker/issues/1437 is maybe interesting to you in this use case, although ServiceWorkers is very unlikely to provide the requested API.

proposal-shadowrealm/explainer.md at main · tc39/proposal-shadowrealm

ECMAScript Proposal, specs, and reference implementation for Realms - tc39/proposal-shadowrealm

GitHub
Show threadPhyJun 20, 2025
@timdream Have you tried adding CSP through meta tags? https://content-security-policy.com/examples/meta/ (no sandbox though)
Content-Security-Policy Meta http-equiv Example

Adding a CSP Policy to a HTML meta tag

Show threadTimothy ChienJun 20, 2025
@phy Yes, on my page. IIRC it seems to also apply to blob URL opened in a new tab from that page, but won’t apply if the URL is copied and pasted to a new tab.
In any case that’s neither consistent or really secure.