W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

Re: [whatwg] Security restriction allows content thievery

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 7 Sep 2012 10:03:12 -0700
Message-ID: <CAJE5ia-_oVCg0DJg+W62NXFZ=9NHS1OTH0fGApVNXi8i+-GYZA@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Fred Andrews <fredandw@live.com>, "whatwg@whatwg.org" <whatwg@whatwg.org>
On Thu, Sep 6, 2012 at 9:53 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Fri, 7 Sep 2012, Fred Andrews wrote:
>> I think the aim is to have the URL of the page that includes these data:
>> URLs sent to the tracking server?
>
> Ah, I see. So say you have a page A, which itself contains a data: URL,
> and you load that data: URL as page B, and in B there is a link to another
> resource C, the argument here is that in the network request for C, the
> referrer information should be of A, rather than B?
>
> That's an interesting idea... Any browser vendors want to chip in on this?

We're unlikely to implement that in WebKit.  We'd like to keep
documents created by data URLs in a unique origin and avoid leaking
privileges (including the privilege to send a certain Referer into the
iframe).

Adam
Received on Friday, 7 September 2012 17:04:49 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:45 UTC