Re: [whatwg/fetch] Same-origin data-URL flag only for fetch and XHR? (#381) from youennf on 2016-09-07 (public-webapps-github@w3.org from September 2016)

From: youennf <notifications@github.com>
Date: Tue, 06 Sep 2016 22:33:11 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/381/245179621@github.com>

Firefox does not seem to fully treat data URLs scripts as same-origin: the error is only partially enriched. Or maybe there is a bug preventing to enrich the error.
WebKit does not authorize to load data URLs in cross origin mode for scripts at the moment, but it could be changed.

Another example is ShapeOutside CSS property which must be "potentially CORS-enabled fetch"ed in "anonymous" mode. In WebKit, we recently set the same-origin data-url flag for this one.

I don't know the historical reasons of the same-origin data URL flag.
It seems to me data URL resources and inlined resources have a lot in common.
Since the origin of a data-url resource is well defined, shouldn't we simplify the fetch spec by removing the same origin data url flag? Or making it set by default? That would allow "potentially CORS-enabled fetch" to better match what browsers are doing.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/381#issuecomment-245179621

Received on Wednesday, 7 September 2016 05:33:43 UTC