- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 25 Feb 2013 12:00:21 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@whatwg.org>
On Mon, Feb 25, 2013 at 1:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth <w3c@adambarth.com> wrote: >> I don't think there is a security problem with that. It's just a >> question of how much it complicates the model. > > Well currently for http://software.hixie.ch/utilities/cgi/data/data > Chrome generates a network error if you hit "Generate" with the reason > "unsafe redirect". And that's a simple http to data URL redirect > without CORS coming into play. Yes, that's to defend against a different sort of attack. In some browsers, like Firefox, data URLs inherit the security context of their authors. If a web site as an open redirect, an attacker might be able to trick the site into redirecting to a data URL of the attackers choice and thereby XSS the site. Chrome wouldn't be vulnerable to that attack because Chrome runs data URLs in unique origins, but Chrome blocks those sorts of redirects so that web sites don't use them and don't cause trouble for Firefox. Adam
Received on Monday, 25 February 2013 20:01:23 UTC