W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Comments on "origin" (data: and image)

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 02 Feb 2008 11:52:52 +0100
To: "HTML WG" <public-html@w3.org>
Message-ID: <op.t5v8iep164w2qv@annevk-t60.oslo.opera.com>

The section should be more clear what it means by image. Is that simply a  
reference to the <img> element?

Also, it should clearly distinguish between the origin for safe data: URI  
images, and unsafe data: URI images. This to ensure <canvas> data is round  
trippable for instance, but that we don't increase the attack surface.

A safe data: URI image is every <img> element where the image is  
represented by a data: URI and where this URI was not obtained through a  
single cross-site request. So <img src=data:...> is safe, but <img  
src=http://cross-site.victim.com> which redirects upon fetching to a data:  
URI is not.

Anne van Kesteren
Received on Saturday, 2 February 2008 10:49:30 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:30 UTC