Re: On starting WebWorkers with blob: URLs...

On Wed, Mar 19, 2014 at 8:05 AM, Anne van Kesteren <> wrote:
>> This is because we have been bit several times by having code from
>> security context A (in our case code from chrome://) receive a URL
>> from code from security context B. A would then load that URL. This
>> way B can trick A into creating content that B controls, but that runs
>> with As privileges.
>> I'd love it if the web also had such an opt-in flag, but I don't know
>> how possible that is to create.
> We could have an attribute on the various loading contexts, no?

We could. Would love to see proposals for that. Right now the
specification for origin handling is fiction and as far as I know
there is no proposal that all involved parties agree to. An important
question is if we can fix data:'s origin handling, without making it
complicated enough that we don't want to use it for anything else.

/ Jonas

Received on Friday, 21 March 2014 01:35:32 UTC