diff --git a/src/lib.ts b/src/lib.ts
index a6f609f4..f5e16ecd 100644
--- a/src/lib.ts
+++ b/src/lib.ts
@@ -19,6 +19,7 @@ export type {ILogItem} from "./logging/types";
 export {IDBLogPersister} from "./logging/IDBLogPersister";
 export {ConsoleReporter} from "./logging/ConsoleReporter";
 export {Platform} from "./platform/web/Platform.js";
+export {BlobHandle} from "./platform/web/dom/BlobHandle";
 export {Client, LoadStatus} from "./matrix/Client.js";
 export {RoomStatus} from "./matrix/room/common";
 // export everything needed to observe state events on all rooms using session.observeRoomState
diff --git a/src/platform/web/dom/BlobHandle.js b/src/platform/web/dom/BlobHandle.js
index 32dd94c0..932fa53c 100644
--- a/src/platform/web/dom/BlobHandle.js
+++ b/src/platform/web/dom/BlobHandle.js
@@ -74,12 +74,23 @@ const ALLOWED_BLOB_MIMETYPES = {
 const DEFAULT_MIMETYPE = 'application/octet-stream';
 
 export class BlobHandle {
+    /** 
+     * @internal
+     * Don't use the constructor directly, instead use fromBuffer, fromBlob or fromBufferUnsafe
+     * */
     constructor(blob, buffer = null) {
         this._blob = blob;
         this._buffer = buffer;
         this._url = null;
     }
 
+    /** Does not filter out mimetypes that could execute embedded javascript.
+     * It's up to the callee of this method to ensure that the blob won't be
+     * rendered by the browser in a way that could allow cross-signing scripting. */
+    static fromBufferUnsafe(buffer, mimetype) {
+        return new BlobHandle(new Blob([buffer], {type: mimetype}), buffer);
+    }
+
     static fromBuffer(buffer, mimetype) {
         mimetype = mimetype ? mimetype.split(";")[0].trim() : '';
         if (!ALLOWED_BLOB_MIMETYPES[mimetype]) {