Hrm. The two have similar properties, and should be treated similarly. More
to the point: I don't think there's any good justification for allowing
'javascript:' resources access to the kinds of APIs that we're talking
about restricting. I wouldn't be sad if sandboxing them into unique origins
prevented them from accessing such APIs.
-mike
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
On Fri, Aug 22, 2014 at 7:43 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 8/22/14, 1:41 PM, Mike West wrote:
>
>> Thoughts about 'data:'? I don't really think doing taint-checking on
>> 'data:' URL navigations is worth it (or easily implementable).
>>
>
> What are you doing for javascript: ?
>
> Seems like that has the same problem as data:, except javascript: will
> automatically pick up the document URI of ... something (script entry
> point, unless you do it via setting @src, in which case it's the
> ownerDocument of the frame).
>
> -Boris
>
>