Re: [whatwg] EventSource and data URLs

On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> Currently Chrome supports data URLs inside EventSource whereas in
>> Firefox EventSource is restricted to http/https URLs:
>>
>>   https://bugzilla.mozilla.org/show_bug.cgi?id=1156137
>>
>> What's the convergence we want here?
>
> It's rather frustrating when data: urls don't work in various places;
> they're an invaluable debugging tool, at minimum.  They should
> generally be treated as the same security level as the page, no?

There's definitely exceptions to this. For example chrome doesn't run
a <iframe src="data:..."> with the same origin as its parent. For IMHO
good reasons since it's a potential XSS vector if a website accepts
URLs from third parties and render them inside a child <iframe>.

The same problem exists with accepting data: URLs in "new Worker(...)".

So no, I don't think it should be treated as the same security level
as the page.

For data-loading APIs, rather than script-running APIs, I see less of
such risk though.

/ Jonas

Received on Monday, 27 April 2015 22:58:54 UTC