- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 27 Apr 2015 15:58:00 -0700
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: WHATWG <whatwg@whatwg.org>, Mike West <mkwst@google.com>
On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote: > On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> Currently Chrome supports data URLs inside EventSource whereas in >> Firefox EventSource is restricted to http/https URLs: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1156137 >> >> What's the convergence we want here? > > It's rather frustrating when data: urls don't work in various places; > they're an invaluable debugging tool, at minimum. They should > generally be treated as the same security level as the page, no? There's definitely exceptions to this. For example chrome doesn't run a <iframe src="data:..."> with the same origin as its parent. For IMHO good reasons since it's a potential XSS vector if a website accepts URLs from third parties and render them inside a child <iframe>. The same problem exists with accepting data: URLs in "new Worker(...)". So no, I don't think it should be treated as the same security level as the page. For data-loading APIs, rather than script-running APIs, I see less of such risk though. / Jonas
Received on Monday, 27 April 2015 22:58:54 UTC