Re: [whatwg] Fetch: cross-origin redirect to a data URL

On Mon, Feb 25, 2013 at 8:06 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 2/25/13 3:00 PM, Adam Barth wrote:
>> Yes, that's to defend against a different sort of attack.  In some
>> browsers, like Firefox, data URLs inherit the security context of
>> their authors.
>
> This is not the case for data: URLs that are the target of a redirect, for
> what it's worth.  At least in Firefox, last I checked.

Does it matter if it's a same-origin redirect though? It seems then it
should be okay (given there's no cross-origin URL in the redirect
chain).


> The only argument I've seen for Chrome's behavior is in
> https://bugzilla.mozilla.org/show_bug.cgi?id=786275

That seems to argue for even stricter rules. Basically stopping
navigation to data URLs.


-- 
http://annevankesteren.nl/

Received on Thursday, 28 February 2013 16:34:27 UTC