Comments on "origin" (data: and image)

The section should be more clear what it means by image. Is that simply a  
reference to the <img> element?

Also, it should clearly distinguish between the origin for safe data: URI  
images, and unsafe data: URI images. This to ensure <canvas> data is round  
trippable for instance, but that we don't increase the attack surface.

A safe data: URI image is every <img> element where the image is  
represented by a data: URI and where this URI was not obtained through a  
single cross-site request. So <img src=data:...> is safe, but <img  
src=http://cross-site.victim.com> which redirects upon fetching to a data:  
URI is not.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Saturday, 2 February 2008 10:49:30 UTC