W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: Comments on "origin" (data: and image)

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 10 Feb 2008 00:17:28 +0000 (UTC)
To: Anne van Kesteren <annevk@opera.com>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0802100014540.20115@hixie.dreamhostps.com>

On Sat, 2 Feb 2008, Anne van Kesteren wrote:
> 
> The section should be more clear what it means by image. Is that simply 
> a reference to the <img> element?

I'm not sure to what you refer here.


> Also, it should clearly distinguish between the origin for safe data: 
> URI images, and unsafe data: URI images. This to ensure <canvas> data is 
> round trippable for instance, but that we don't increase the attack 
> surface.

Isn't this already done in the definition of "origin"?


> A safe data: URI image is every <img> element where the image is 
> represented by a data: URI and where this URI was not obtained through a 
> single cross-site request. So <img src=data:...> is safe, but <img 
> src=http://cross-site.victim.com> which redirects upon fetching to a 
> data: URI is not.

This seems already defined.

Could you give examples of what you think the spec doesn't define?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 10 February 2008 00:17:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:12 GMT