W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: Blob URL Origin

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 18 May 2014 15:38:46 +0200
Message-ID: <CADnb78hPbYKe5bRiotwOG96QDK4qj7U30OZYn+1+tj+Um4Tbvg@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Sat, May 17, 2014 at 12:22 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> And I agree with them. The fact that <iframe>s end up same-origin
> makes it easier to XSS a website by tricking it to load a URL of the
> attackers choice in an iframe. Or open a worker using a URL of the
> attackers choice.

I guess that is fair. Should a cross-origin blob URL taint the <canvas>?

Do we have an exhaustive list of where data URLs are problematic and
where they are not? Ideally we rewrite the model in the specifications
to something that is coherent and more secure.

> But really, I'd recommend reaching out to the browsers that currently
> treat data: URLs as having a unique origin. They can probably much
> better speak to why they feel that that's needed.

I believe they are subscribed. Adam? Joel?

Received on Sunday, 18 May 2014 13:39:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC