W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2014

Re: [whatwg] Stricter data URL policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 2 Jun 2014 15:00:38 +0200
Message-ID: <CADnb78gr1nmzOmRKCXb+TNE0OkxvvhhP9X9HOR=3vpZ6_LaW5Q@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: WHATWG <whatwg@lists.whatwg.org>
On Mon, Jun 2, 2014 at 2:48 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 6/2/14, 5:19 AM, Anne van Kesteren wrote:
>> This is not the case in Chrome and we'd like this to be no
>> longer the case in Gecko.
>
> Note that it's not clear to me what "we" means in this case.  For example,
> I'm unconvinced we want to change Gecko behavior here.

You're not persuaded by the attack scenario?



>> And then it would only be set for the initial
>> fetch, not after the <iframe> has been navigated.
>
> More precisely, it would be set for loads due to the iframe's src changing
> but not ones due to link clicks and location changes?
>
> Or do you really mean only for the initial fetch and not later changes to
> @src?

Actual changes to @src seems fine since they are under the control of
the page. (At least as much as the allowsameorigindataurl attribute.)


>> I'll be updating Fetch shortly with this new policy
>
> This seems fine, since we want it no matter what; the only disagreement is
> about when that flag should be set, right?

Provided we agree that it is always unset after any redirect, yes.


-- 
http://annevankesteren.nl/
Received on Monday, 2 June 2014 13:01:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:21 UTC