Re: Blob URL Origin from Jonas Sicking on 2014-05-16 (public-webapps@w3.org from April to June 2014)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 16 May 2014 15:22:01 -0700
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebApps WG <public-webapps@w3.org>
Message-ID: <CA+c2ei_JSNdAU55_EfHjAW_9SSnMj13Vs36ZYoNhj-rEJZbKEA@mail.gmail.com>

On Fri, May 16, 2014 at 8:15 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 5/16/14, 11:08 AM, Anne van Kesteren wrote:
>>
>> Not tainting <canvas>? Same-origin <iframe>? Doesn't matter?
>
> The same-origin <iframe> bit.  I think everyone is on board with not
> tainting <canvas> for data: things.

And I agree with them. The fact that <iframe>s end up same-origin
makes it easier to XSS a website by tricking it to load a URL of the
attackers choice in an iframe. Or open a worker using a URL of the
attackers choice.

But really, I'd recommend reaching out to the browsers that currently
treat data: URLs as having a unique origin. They can probably much
better speak to why they feel that that's needed.

/ Jonas

Received on Friday, 16 May 2014 22:22:58 UTC