W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

Re: XHR data: and javascript: requests

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 04 Oct 2007 09:40:42 -0500
Message-ID: <4704FB6A.7070402@mit.edu>
To: Anne van Kesteren <annevk@opera.com>
CC: Mark Baker <distobj@acm.org>, "Web API WG (public)" <public-webapi@w3.org>

Anne van Kesteren wrote:
> data:text/javascript would act the same as simply loading a JavaScript 
> file. There's no execution involved there so that's safe. I've allowed 
> data: URIs now:
> 
>   http://dev.w3.org/2006/webapi/XMLHttpRequest/

I should point out that this will require special-casing in the security check, 
because in general a random data: URI is NOT in fact same-origin with an http: 
URI.  It's not even same-origin in Opera, last I checked, which means that 
they're special-casing it in the check here....  What's special about data: in 
particular?  How long until someone else comes up with some other protocol they 
argue is "safe" and should also be special-cased?

I rather question whether there are actual use cases for this that justify the 
complexity in an area of code (security checks) where complexity and the 
attendant potential for bugs is to be avoided at all costs.

-Boris
Received on Thursday, 4 October 2007 14:41:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT