Re: Blob URL Origin

On Fri, May 16, 2014 at 8:15 AM, Boris Zbarsky <> wrote:
> On 5/16/14, 11:08 AM, Anne van Kesteren wrote:
>> Not tainting <canvas>? Same-origin <iframe>? Doesn't matter?
> The same-origin <iframe> bit.  I think everyone is on board with not
> tainting <canvas> for data: things.

And I agree with them. The fact that <iframe>s end up same-origin
makes it easier to XSS a website by tricking it to load a URL of the
attackers choice in an iframe. Or open a worker using a URL of the
attackers choice.

But really, I'd recommend reaching out to the browsers that currently
treat data: URLs as having a unique origin. They can probably much
better speak to why they feel that that's needed.

/ Jonas

Received on Friday, 16 May 2014 22:22:58 UTC