- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 27 Apr 2015 19:42:30 -0700
- To: duanyao <duanyao@ustc.edu>
- Cc: WHATWG <whatwg@whatwg.org>
On Mon, Apr 27, 2015 at 7:37 PM, duanyao <duanyao@ustc.edu> wrote: > In iframe, srcdoc attribute seems as secure (insecure) as data: URL in src, > so should it be removed from the spec? The difference there, and in the other examples that you mention, is that you know that you are loading content in your own domain. The problem with data: URLs is that the same API sometimes does a network load, and sometimes parses content and runs in your security origin. I'm happy to have a way to opt-in to enable loading data: in <iframe>s and Workers. But I strongly prefer an explicit opt-in. Note that the chrome team apparently currently feels that data: in <iframe> is so unsafe that they always load it in a sandbox. And never allow data: in Workers. There's no way to even opt in to having it behave any other way. / Jonas
Received on Tuesday, 28 April 2015 02:43:24 UTC