- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 28 Feb 2013 16:33:57 +0000
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg@lists.whatwg.org
On Mon, Feb 25, 2013 at 8:06 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 2/25/13 3:00 PM, Adam Barth wrote: >> Yes, that's to defend against a different sort of attack. In some >> browsers, like Firefox, data URLs inherit the security context of >> their authors. > > This is not the case for data: URLs that are the target of a redirect, for > what it's worth. At least in Firefox, last I checked. Does it matter if it's a same-origin redirect though? It seems then it should be okay (given there's no cross-origin URL in the redirect chain). > The only argument I've seen for Chrome's behavior is in > https://bugzilla.mozilla.org/show_bug.cgi?id=786275 That seems to argue for even stricter rules. Basically stopping navigation to data URLs. -- http://annevankesteren.nl/
Received on Thursday, 28 February 2013 16:34:27 UTC