- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 04 Oct 2007 09:40:42 -0500
- To: Anne van Kesteren <annevk@opera.com>
- CC: Mark Baker <distobj@acm.org>, "Web API WG (public)" <public-webapi@w3.org>
Anne van Kesteren wrote: > data:text/javascript would act the same as simply loading a JavaScript > file. There's no execution involved there so that's safe. I've allowed > data: URIs now: > > http://dev.w3.org/2006/webapi/XMLHttpRequest/ I should point out that this will require special-casing in the security check, because in general a random data: URI is NOT in fact same-origin with an http: URI. It's not even same-origin in Opera, last I checked, which means that they're special-casing it in the check here.... What's special about data: in particular? How long until someone else comes up with some other protocol they argue is "safe" and should also be special-cased? I rather question whether there are actual use cases for this that justify the complexity in an area of code (security checks) where complexity and the attendant potential for bugs is to be avoided at all costs. -Boris
Received on Thursday, 4 October 2007 14:41:22 UTC