Support Blob URLs and window.URL API

Question

Support Blob URLs and window.URL API

tapananand opened this issue 8 years ago · 3 comments

Currently, Caja does not support the window.URL API and hence using the Blob as a URL as described here is not possible.

Please add support for it if possible. Are there any risks associated with it?

Answer 1 · 2017-03-24T17:33:37.000Z

New features for Caja are pretty much on hold for the time being. However, if you'd like to write a patch to add this one we'd be happy to review and incorporate it.

As to issues in supporting it, the thing that comes to mind is that it would be undesirable if the guest could revokeObjectURL on URLs created by the host that the guest comes to know. This could be handled for simple cases by remembering (for the session) every URL gotten through createObjectURL and using that as a whitelist on the revoke operation, but that might be worse than the alternative for some applications.

Answer 2 · 2017-03-24T17:39:46.000Z

Thanks for the quick response.

This could be handled for simple cases by remembering (for the session) every URL gotten through createObjectURL and using that as a whitelist on the revoke operation, but that might be worse than the alternative for some applications

Are you saying it might be worse due to performance?
Also, is there a particular reason why new features are on hold?

Answer 3 · 2017-03-24T17:45:29.000Z

Are you saying it might be worse due to performance?

No, due to the resulting properties. Actually, on second thought, it won't make any difference, so that strategy should be fine.

Also, is there a particular reason why new features are on hold?

There are two-and-a-half people working on Caja in spare time, and spare time and enthusiasm is a scarce resource. Thus, help wanted, patches welcome, etcetera.