- From: Jonathan Watt <notifications@github.com>
- Date: Thu, 10 Mar 2016 11:15:47 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Thursday, 10 March 2016 19:22:15 UTC
> It would be strange to treat user-entered top-level data navigations differently from page-initiated top-level navigations, right? It seems to make sense to me for HTTPS state. If the user enter's a data: URI that they have written and understand then it is delivered from a trusted source. If a page initiates it, then whether it is trusted or not depends on whether the initiating page is trusted. FWIW I think there is a valid concern that users could be tricked into loading a data: either by copy and paste or by navigating to it from another application. If there is consensus that this is an issue we could act on I'd suggest UA's should block user-entered data: URIs by default with a preference to enable them. > In Chrome, we divorce 'data:' from most capabilities Why is that? Are there intrinsic security issues or is that due to the issues blink has propagating origins that you've mentioned before? --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/243#issuecomment-195006237
Received on Thursday, 10 March 2016 19:22:15 UTC