- From: Mike West <notifications@github.com>
- Date: Tue, 06 Sep 2016 22:18:03 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Wednesday, 7 September 2016 05:18:33 UTC
> @mikewest, where does Chrome consider data URLs same-origin? The snippet @youennf posted does not enrich the `error` (though it does load, probably because we're shortcutting through CORS for `data:` for exciting historical reasons). That is, we don't consider it same-origin, but we're not performing the same checks on it that we would for a network request. More generally, I know that we allow extraction of pixels from `data:` from `<canvas>`, and I wouldn't be surprised if there were one or two other exceptions we've made over the years, but, ideally, Chrome doesn't consider `data:` URLs same-origin (At this point, I think Firefox is the only browser that _does_ consider them same-origin consistently. Perhaps we should instead align the spec with Blink/WebKit/EdgeHTML? :) ). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/381#issuecomment-245177698
Received on Wednesday, 7 September 2016 05:18:33 UTC