- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Mon, 27 Apr 2015 16:04:55 -0700
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: WHATWG <whatwg@whatwg.org>, Mike West <mkwst@google.com>
On Mon, Apr 27, 2015 at 3:58 PM, Jonas Sicking <jonas@sicking.cc> wrote: > On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote: >> On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >>> Currently Chrome supports data URLs inside EventSource whereas in >>> Firefox EventSource is restricted to http/https URLs: >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1156137 >>> >>> What's the convergence we want here? >> >> It's rather frustrating when data: urls don't work in various places; >> they're an invaluable debugging tool, at minimum. They should >> generally be treated as the same security level as the page, no? > > There's definitely exceptions to this. For example chrome doesn't run > a <iframe src="data:..."> with the same origin as its parent. For IMHO > good reasons since it's a potential XSS vector if a website accepts > URLs from third parties and render them inside a child <iframe>. > > The same problem exists with accepting data: URLs in "new Worker(...)". > > So no, I don't think it should be treated as the same security level > as the page. > > For data-loading APIs, rather than script-running APIs, I see less of > such risk though. Yeah, I can see the potential risks for script-running APIs, but this is definitely a data-loading API. ^_^ ~TJ
Received on Monday, 27 April 2015 23:05:39 UTC