W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2013

Re: [whatwg] Fetch: cross-origin redirect to a data URL

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 25 Feb 2013 15:06:36 -0500
Message-ID: <512BC44C.3000408@mit.edu>
To: whatwg@lists.whatwg.org
On 2/25/13 3:00 PM, Adam Barth wrote:
> Yes, that's to defend against a different sort of attack.  In some
> browsers, like Firefox, data URLs inherit the security context of
> their authors.

This is not the case for data: URLs that are the target of a redirect, 
for what it's worth.  At least in Firefox, last I checked.

The only argument I've seen for Chrome's behavior is in 
https://bugzilla.mozilla.org/show_bug.cgi?id=786275

-Boris
Received on Monday, 25 February 2013 20:07:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC