- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 6 Sep 2012 18:22:42 +0000 (UTC)
- To: whatwg@whatwg.org
On Mon, 16 Jul 2012, Robert Eisele wrote: > > Browsers are very restrictive when one tries to access the contents of > different domains (including the scheme), embedded via framesets. This > is normally a good practice, but I'd suggest to weaken this restriction > for the data: URI schema. It already is. The origin of documents and images using data: URLs is essentially the origin of wherever you found the URL. > I'm currently building an analysis system like Google Analytics, which > gets embedded into a website via a small JavaScript snippet. When I > analyzed the data, I came across a very interesting trick because I got > a lot of requests (with the data from location.href) where the entire > website was embedded into a data:text/html URI - except that all ads of > the page were replaced. Fortunately, my tracking code has been left > without modifications. Weird. > But the scary thing is that this way you can monetize foreign content by > simply embedding it somewhere you can direct traffic to. That's pretty > clever, because the original site owner doesn't notice this abuse due to > the fact that top.location.href isn't readable. Or even worse, he would > never notice it at all when he doesn't sniff the URI with JavaScript, > because image files would have no referrer. > > My final approach to convict the abuser is based on the fact, that the > JavaScript was dynamically loaded from my server and that I can write to > location.href. So I added this piece of code: > > if (top.location.protocol === 'data:') { > top.location.href = 'http://example.com/trap/'; > } > > But even then the referrer will not be passed to the server. So my > proposal is that the data URI schema gets an exception on this security > behavior. I don't understand. What referrer are you trying to set? To what? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 6 September 2012 18:23:09 UTC