- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 18 May 2014 15:38:46 +0200
- To: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>
- Cc: Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Sat, May 17, 2014 at 12:22 AM, Jonas Sicking <jonas@sicking.cc> wrote: > And I agree with them. The fact that <iframe>s end up same-origin > makes it easier to XSS a website by tricking it to load a URL of the > attackers choice in an iframe. Or open a worker using a URL of the > attackers choice. I guess that is fair. Should a cross-origin blob URL taint the <canvas>? Do we have an exhaustive list of where data URLs are problematic and where they are not? Ideally we rewrite the model in the specifications to something that is coherent and more secure. > But really, I'd recommend reaching out to the browsers that currently > treat data: URLs as having a unique origin. They can probably much > better speak to why they feel that that's needed. I believe they are subscribed. Adam? Joel? -- http://annevankesteren.nl/
Received on Sunday, 18 May 2014 13:39:13 UTC