- From: Anne van Kesteren <annevk@opera.com>
- Date: Sun, 10 Feb 2008 11:34:00 +0100
- To: "Ian Hickson" <ian@hixie.ch>
- Cc: "HTML WG" <public-html@w3.org>
On Sun, 10 Feb 2008 01:17:28 +0100, Ian Hickson <ian@hixie.ch> wrote: > On Sat, 2 Feb 2008, Anne van Kesteren wrote: >> >> The section should be more clear what it means by image. Is that simply >> a reference to the <img> element? > > I'm not sure to what you refer here. Section "4.3.2 Origin". >> Also, it should clearly distinguish between the origin for safe data: >> URI images, and unsafe data: URI images. This to ensure <canvas> data is >> round trippable for instance, but that we don't increase the attack >> surface. > > Isn't this already done in the definition of "origin"? In that "The origin of a Document or image that was generated from a data: URI found in another Document or in a script is the origin of the Document or script." takes care of the safe data: URI and "The origin of a Document or image that was generated from a data: URI from another source is a globally unique identifier assigned when the document is created." of the unsafe? It's not really that clear to me. >> A safe data: URI image is every <img> element where the image is >> represented by a data: URI and where this URI was not obtained through a >> single cross-site request. So <img src=data:...> is safe, but <img >> src=http://cross-site.victim.com> which redirects upon fetching to a >> data: URI is not. > > This seems already defined. > > Could you give examples of what you think the spec doesn't define? It's not completely clear to me if the specification defines: <img src="data:image/png..."> to have the same origin as the Document it is in. <img src="redirect.cgi"> which redirects to a cross-site URI that redirects to a data: URI to have a different origin from the Document <img> is in. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Sunday, 10 February 2008 10:30:07 UTC