Re: Comments on "origin" (data: and image) from Ian Hickson on 2008-04-29 (public-html@w3.org from April 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 29 Apr 2008 11:07:44 +0000 (UTC)
To: Anne van Kesteren <annevk@opera.com>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0804290955320.21650@hixie.dreamhostps.com>

On Sun, 10 Feb 2008, Anne van Kesteren wrote:
> On Sun, 10 Feb 2008 01:17:28 +0100, Ian Hickson <ian@hixie.ch> wrote:
> > On Sat, 2 Feb 2008, Anne van Kesteren wrote:
> > > 
> > > The section should be more clear what it means by image. Is that simply
> > > a reference to the <img> element?
> > 
> > I'm not sure to what you refer here.
> 
> Section "4.3.2 Origin".

It means any image, including but not limited to those in <img> elements, 
that does not have a Document object.


> > > Also, it should clearly distinguish between the origin for safe 
> > > data: URI images, and unsafe data: URI images. This to ensure 
> > > <canvas> data is round trippable for instance, but that we don't 
> > > increase the attack surface.
> > 
> > Isn't this already done in the definition of "origin"?
> 
> In that "The origin of a Document or image that was generated from a 
> data: URI found in another Document or in a script is the origin of the 
> Document or script." takes care of the safe data: URI and "The origin of 
> a Document or image that was generated from a data: URI from another 
> source is a globally unique identifier assigned when the document is 
> created." of the unsafe? It's not really that clear to me.

Right, the origin of images from data: URIs in the various cases are 
defined, and if an image isn't the same origin as the script calling 
canvas, then it's "unsafe".


> It's not completely clear to me if the specification defines:
> 
>   <img src="data:image/png...">
> 
> to have the same origin as the Document it is in.

"If a Document or image was generated from a data: URI found in another 
Document or in a script
The origin is the origin of the Document or script in which the data: URI 
was found."


>   <img src="redirect.cgi">
> 
> which redirects to a cross-site URI that redirects to a data: URI to 
> have a different origin from the Document <img> is in.

This case was handled but not explicitly. I've mentioned it explicitly 
now. (And also handled javascript: from redirect.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 29 April 2008 11:08:22 UTC