W3C home > Mailing lists > Public > public-html@w3.org > February 2008

Re: Comments on "origin" (data: and image)

From: Anne van Kesteren <annevk@opera.com>
Date: Sun, 10 Feb 2008 11:34:00 +0100
To: "Ian Hickson" <ian@hixie.ch>
Cc: "HTML WG" <public-html@w3.org>
Message-ID: <op.t6a0yyfl64w2qv@annevk-t60.oslo.opera.com>

On Sun, 10 Feb 2008 01:17:28 +0100, Ian Hickson <ian@hixie.ch> wrote:
> On Sat, 2 Feb 2008, Anne van Kesteren wrote:
>>
>> The section should be more clear what it means by image. Is that simply
>> a reference to the <img> element?
>
> I'm not sure to what you refer here.

Section "4.3.2 Origin".


>> Also, it should clearly distinguish between the origin for safe data:
>> URI images, and unsafe data: URI images. This to ensure <canvas> data is
>> round trippable for instance, but that we don't increase the attack
>> surface.
>
> Isn't this already done in the definition of "origin"?

In that "The origin of a Document or image that was generated from a data:  
URI found in another Document or in a script is the origin of the Document  
or script." takes care of the safe data: URI and "The origin of a Document  
or image that was generated from a data: URI from another source is a  
globally unique identifier assigned when the document is created." of the  
unsafe? It's not really that clear to me.


>> A safe data: URI image is every <img> element where the image is
>> represented by a data: URI and where this URI was not obtained through a
>> single cross-site request. So <img src=data:...> is safe, but <img
>> src=http://cross-site.victim.com> which redirects upon fetching to a
>> data: URI is not.
>
> This seems already defined.
>
> Could you give examples of what you think the spec doesn't define?

It's not completely clear to me if the specification defines:

   <img src="data:image/png...">

to have the same origin as the Document it is in.

   <img src="redirect.cgi">

which redirects to a cross-site URI that redirects to a data: URI to have  
a different origin from the Document <img> is in.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Sunday, 10 February 2008 10:30:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:12 GMT