Re: Blob URL Origin

On Sat, May 17, 2014 at 12:22 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> And I agree with them. The fact that <iframe>s end up same-origin
> makes it easier to XSS a website by tricking it to load a URL of the
> attackers choice in an iframe. Or open a worker using a URL of the
> attackers choice.

I guess that is fair. Should a cross-origin blob URL taint the <canvas>?

Do we have an exhaustive list of where data URLs are problematic and
where they are not? Ideally we rewrite the model in the specifications
to something that is coherent and more secure.


> But really, I'd recommend reaching out to the browsers that currently
> treat data: URLs as having a unique origin. They can probably much
> better speak to why they feel that that's needed.

I believe they are subscribed. Adam? Joel?


-- 
http://annevankesteren.nl/

Received on Sunday, 18 May 2014 13:39:13 UTC