- From: Boris Zbarsky <bzbarsky@mit.edu>
- Date: Fri, 22 Aug 2014 13:43:30 -0400
- To: Mike West <mkwst@google.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Anne van Kesteren <annevk@annevk.nl>
On 8/22/14, 1:41 PM, Mike West wrote: > Thoughts about 'data:'? I don't really think doing taint-checking on > 'data:' URL navigations is worth it (or easily implementable). What are you doing for javascript: ? Seems like that has the same problem as data:, except javascript: will automatically pick up the document URI of ... something (script entry point, unless you do it via setting @src, in which case it's the ownerDocument of the frame). -Boris
Received on Friday, 22 August 2014 17:44:00 UTC