[whatwg/fetch] Treat data URLs as same-origin, except for workers (#387) from Anne van Kesteren on 2016-09-14 (public-webapps-github@w3.org from September 2016)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 14 Sep 2016 07:04:33 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/pull/387@github.com>

HTML gives data URLs a unique origin when navigating to them to prevent
a class of XSS attacks.

Since browsers already largely allow data URLs in all other contexts
this commit aligns with that, opting them into being same-origin
elsewhere.

Workers however are still prevented. It would create problems for
shared workers and potentially also for dedicated workers.

Fixes #381.
You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/fetch/pull/387

-- Commit Summary --

  * Treat data URLs as same-origin, except for workers

-- File Changes --

    M Overview.html (14)
    M Overview.src.html (14)

-- Patch Links --

https://github.com/whatwg/fetch/pull/387.patch
https://github.com/whatwg/fetch/pull/387.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/387

Received on Wednesday, 14 September 2016 14:05:04 UTC