Re: Defining secure-enough origins.

On Fri, Aug 22, 2014 at 5:11 PM, Boris Zbarsky <> wrote:

> On 8/22/14, 10:21 AM, Mike West wrote:
>> Using location won't work, as you've noted. Walking up the chain in a
>> similar way to about:srcdoc would work.
> Would it?  Your point about being able to navigate to about:blank is a
> good one.
> That said, I've been thinking about this a bit more and I think there
> isn't actually an issue here.  If the about:blank is not sandboxed, its
> origin is usable.  If it's sandboxed, then how would it ever end up with
> any nontrivial content?

That is a very good point. :)

I've addressed the srcdoc bit with

Thoughts about 'data:'? I don't really think doing taint-checking on
'data:' URL navigations is worth it (or easily implementable).


Received on Friday, 22 August 2014 17:42:04 UTC