W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

Re: [whatwg] Security restriction allows content thievery

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 7 Sep 2012 04:53:23 +0000 (UTC)
To: Fred Andrews <fredandw@live.com>
Message-ID: <Pine.LNX.4.64.1209070443440.30734@ps20323.dreamhostps.com>
Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>
On Fri, 7 Sep 2012, Fred Andrews wrote:
> 
> I think the aim is to have the URL of the page that includes these data: 
> URLs sent to the tracking server?

Ah, I see. So say you have a page A, which itself contains a data: URL, 
and you load that data: URL as page B, and in B there is a link to another 
resource C, the argument here is that in the network request for C, the 
referrer information should be of A, rather than B?

That's an interesting idea... Any browser vendors want to chip in on this?

Unless there is browser-vendor interest in implementing this, I don't 
intend to add it to the spec, since it seems a little esoteric and could 
leak referrers in cases where authors had previously assumed they'd be 
safe (e.g. if a Webmail app is opening e-mails in iframes using data: URLs 
to prevent the e-mail's images from including the user's webmail client's 
URL in the referrer information, or something).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 7 September 2012 04:53:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:45 UTC