W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

Re: On starting WebWorkers with blob: URLs...

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 20 Mar 2014 18:34:30 -0700
Message-ID: <CA+c2ei9MWXhGPfFTCA-xCDCZ6EUNOFLVC9PuZKMRscF4Ompvgg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Ian Hickson <ian@hixie.ch>, Arun Ranganathan <arun@mozilla.com>, Travis Leithead <travis.leithead@microsoft.com>, public-webapps <public-webapps@w3.org>
On Wed, Mar 19, 2014 at 8:05 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> This is because we have been bit several times by having code from
>> security context A (in our case code from chrome://) receive a URL
>> from code from security context B. A would then load that URL. This
>> way B can trick A into creating content that B controls, but that runs
>> with As privileges.
>>
>> I'd love it if the web also had such an opt-in flag, but I don't know
>> how possible that is to create.
>
> We could have an attribute on the various loading contexts, no?

We could. Would love to see proposals for that. Right now the
specification for origin handling is fiction and as far as I know
there is no proposal that all involved parties agree to. An important
question is if we can fix data:'s origin handling, without making it
complicated enough that we don't want to use it for anything else.

/ Jonas
Received on Friday, 21 March 2014 01:35:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:22 UTC