- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 28 Jun 2013 09:37:47 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Jun 28, 2013 at 12:24 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 6/27/2013 6:41 AM, Anne van Kesteren wrote: >> If it's just data URLs for which this is a problem, "data:," is the >> shortest valid data URL I know of. But I think it might be a problem >> for blob URLs too. We could probably make the URL parser work for >> "data:" and "blob:". They would not be valid data or blob URLs, but >> would parse as URLs, if that makes sense. > > Pretty sure we decided blob: was covered by 'self' so you shouldn't need > to specify that one. Even though blob is covered by 'self', you might still need to include it in a violation report. The site doesn't necessarily need to whitelist 'self'. Adam
Received on Friday, 28 June 2013 16:38:47 UTC