W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: Blank blocked-uris

From: Mike West <mkwst@google.com>
Date: Tue, 5 Feb 2013 17:02:39 +0100
Message-ID: <CAKXHy=dNjGpOUV-_QbPQV0=5EVtOH9XNz1H=ONLmDd9G51Z5fw@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
This makes sense to me. I'd suggest doing the same for filesystem: and
blob: URLs.

If there are no objections, I'll add something to the spec.

-mike

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Tue, Feb 5, 2013 at 4:40 PM, Neil Matatall <neilm@twitter.com> wrote:

> Hello all,
>
> I was taking a look at our reports and noticed a significant number of
> reports without a blocked-uri value. We tracked it down to two
> (possibly more) culprits:
>
> data: uris in images
> javascript: uris in hrefs
>
> I think the protocol would be enough information in this case.
>
>
Received on Tuesday, 5 February 2013 16:03:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2013 16:03:34 GMT