[whatwg] Stricter data URL policy

At the moment data URLs inherit the origin of the context that fetches
them. This is not the case in Chrome and we'd like this to be no
longer the case in Gecko.
https://bugzilla.mozilla.org/show_bug.cgi?id=1018872 is tracking this.

The reasoning is that data URLs require being careful with a URL being
handed to you whereas most other URLs do not. If you put it in an
<iframe> or worker it can leak information from your origin to a third
party.

The proposal is to add a flag to Fetch with regards to origin
inheritance: "same-origin data URL flag". This is set by <img> and
XMLHttpRequest, but not by <iframe>. For <iframe> we'd require <iframe
allowsameorigindataurl>. And then it would only be set for the initial
fetch, not after the <iframe> has been navigated.

Workers might be harder as there might be content relying on workers
working with data URLs. That needs to be investigated.

I'll be updating Fetch shortly with this new policy, I hope HTML can
be similarly aligned or at least that we come to an agreement here on
the above plan (I can imagine HTML might want to wait until it
integrates with Fetch in general).


-- 
http://annevankesteren.nl/

Received on Monday, 2 June 2014 09:19:49 UTC