Re: [whatwg] Fetch: cross-origin redirect to a data URL from Adam Barth on 2013-02-25 (public-whatwg-archive@w3.org from February 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 24 Feb 2013 20:30:30 -0800
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@whatwg.org>
Message-ID: <CAJE5ia-tNs1_VOcCLqHbkDuFUH3kWbiBgTh-_6O_acfZwS1wcg@mail.gmail.com>

I don't think there is a security problem with that.  It's just a
question of how much it complicates the model.

Adam


On Sun, Feb 24, 2013 at 10:32 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> Say <img> does a cross-origin request. The response to that request is
> a redirect with the appropriate CORS headers set. The new location is
> a data URL. Should that URL be tainted or not? I tend to think we
> should make that work.
>
> (By the way, if you're interested. I'm working on a new specification
> that merges HTML fetch and CORS, named Fetch.
> http://wiki.whatwg.org/wiki/Fetch has the rough outline so far,
> including an algorithm at the bottom. The idea is that everything in
> the platform that does network requests ties into that (in particular
> the fetch function which dispatches as appropriate).)
>
>
> --
> http://annevankesteren.nl/

Received on Monday, 25 February 2013 04:31:30 UTC