W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2013

Re: [whatwg] Fetch: cross-origin redirect to a data URL

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 28 Feb 2013 16:33:57 +0000
Message-ID: <CADnb78jhON72NBksHNxncAxVwtCmD0Ojp-eVqOoXeBMUJHWb=w@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: whatwg@lists.whatwg.org
On Mon, Feb 25, 2013 at 8:06 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 2/25/13 3:00 PM, Adam Barth wrote:
>> Yes, that's to defend against a different sort of attack.  In some
>> browsers, like Firefox, data URLs inherit the security context of
>> their authors.
>
> This is not the case for data: URLs that are the target of a redirect, for
> what it's worth.  At least in Firefox, last I checked.

Does it matter if it's a same-origin redirect though? It seems then it
should be okay (given there's no cross-origin URL in the redirect
chain).


> The only argument I've seen for Chrome's behavior is in
> https://bugzilla.mozilla.org/show_bug.cgi?id=786275

That seems to argue for even stricter rules. Basically stopping
navigation to data URLs.


-- 
http://annevankesteren.nl/
Received on Thursday, 28 February 2013 16:34:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC