- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 21 Mar 2014 13:57:47 +0000
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Ian Hickson <ian@hixie.ch>, Arun Ranganathan <arun@mozilla.com>, Travis Leithead <travis.leithead@microsoft.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>, Paul Irish <paul.irish@gmail.com>
On Fri, Mar 21, 2014 at 1:34 AM, Jonas Sicking <jonas@sicking.cc> wrote: > We could. Would love to see proposals for that. Right now the > specification for origin handling is fiction and as far as I know > there is no proposal that all involved parties agree to. An important > question is if we can fix data:'s origin handling, without making it > complicated enough that we don't want to use it for anything else. I wish I was more familiar with the problems you are alluding too. I can definitely see how you do not want to simply load data URLs you did not create yourself in any context. But e.g. loading a (random) data URL in <img> and then drawing it on <canvas> and analyzing the data is fine. Putting a (random) data URL in <iframe> is asking for trouble, but putting a trusted one there is fine and not different from <iframe srcdoc>. Adam, Paul, is Chrome not interested in aligning its data URL handling with other browsers? In particular, inheriting the parent's origin. Is there more information somewhere on what Chrome would like the eventual status quo to be and why? -- http://annevankesteren.nl/
Received on Friday, 21 March 2014 13:58:15 UTC