Re: [w3ctag/design-reviews] Find the best terminology to restrict the usage of data urls (#635)

Hi @iherman and @mattgarrish. Sorry about the delay in responding to this. 

A question that came up in our TAG meeting last week was: does the epub spec require secure contexts? I couldn't tell from a quick ctrl+F of the spec. If it does, then [it was resolved that data URLs at the top level do not create a secure context](https://github.com/w3c/webappsec-secure-contexts/issues/69#issuecomment-585784646), in which case your wording could include something like:

> Reading Systems MUST prevent data URLs [RFC2397] from opening in insecure contexts [https://html.spec.whatwg.org/multipage/webappapis.html#secure-context]

Otherwise I think the wording you have is sufficient, and it is consistent with [widely implemented browser behaviour](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs#browser_compatibility). If the main concern is that an SVG at the top level doesn't count as a "browsing context", and SVG is the only exception, you could be explicit about this, eg:

> Reading Systems MUST prevent data URLs [RFC2397] from opening in top-level browsing contexts [HTML], except when initiated through a Reading System affordance such as a context menu. If a Reading System does not use a top-level browsing context for Top-level Content Documents, for example if the Top-level Content Document is an SVG, it MUST also prevent data URLs from opening as though they are Top-level Content Documents.

My only other suggestion would be to consider the phrase "via a user-initiated navigation" instead of (or as well as) "through a Reading System affordance such as a context menu" if that adds any clarity to what you mean.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/635#issuecomment-892475454