- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 2 Jun 2014 11:19:24 +0200
- To: WHATWG <whatwg@whatwg.org>
At the moment data URLs inherit the origin of the context that fetches them. This is not the case in Chrome and we'd like this to be no longer the case in Gecko. https://bugzilla.mozilla.org/show_bug.cgi?id=1018872 is tracking this. The reasoning is that data URLs require being careful with a URL being handed to you whereas most other URLs do not. If you put it in an <iframe> or worker it can leak information from your origin to a third party. The proposal is to add a flag to Fetch with regards to origin inheritance: "same-origin data URL flag". This is set by <img> and XMLHttpRequest, but not by <iframe>. For <iframe> we'd require <iframe allowsameorigindataurl>. And then it would only be set for the initial fetch, not after the <iframe> has been navigated. Workers might be harder as there might be content relying on workers working with data URLs. That needs to be investigated. I'll be updating Fetch shortly with this new policy, I hope HTML can be similarly aligned or at least that we come to an agreement here on the above plan (I can imagine HTML might want to wait until it integrates with Fetch in general). -- http://annevankesteren.nl/
Received on Monday, 2 June 2014 09:19:49 UTC