Re: [whatwg] Security restriction allows content thievery

On Thu, Sep 6, 2012 at 9:53 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Fri, 7 Sep 2012, Fred Andrews wrote:
>> I think the aim is to have the URL of the page that includes these data:
>> URLs sent to the tracking server?
>
> Ah, I see. So say you have a page A, which itself contains a data: URL,
> and you load that data: URL as page B, and in B there is a link to another
> resource C, the argument here is that in the network request for C, the
> referrer information should be of A, rather than B?
>
> That's an interesting idea... Any browser vendors want to chip in on this?

We're unlikely to implement that in WebKit.  We'd like to keep
documents created by data URLs in a unique origin and avoid leaking
privileges (including the privilege to send a certain Referer into the
iframe).

Adam

Received on Friday, 7 September 2012 17:04:49 UTC