Re: [whatwg] EventSource and data URLs

在 2015年04月27日 22:58, Jonas Sicking 写道:
> On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> Currently Chrome supports data URLs inside EventSource whereas in
>>> Firefox EventSource is restricted to http/https URLs:
>>>
>>>    https://bugzilla.mozilla.org/show_bug.cgi?id=1156137
>>>
>>> What's the convergence we want here?
>> It's rather frustrating when data: urls don't work in various places;
>> they're an invaluable debugging tool, at minimum.  They should
>> generally be treated as the same security level as the page, no?
> There's definitely exceptions to this. For example chrome doesn't run
> a <iframe src="data:..."> with the same origin as its parent. For IMHO
> good reasons since it's a potential XSS vector if a website accepts
> URLs from third parties and render them inside a child <iframe>.
>
> The same problem exists with accepting data: URLs in "new Worker(...)".

I think this is unfortunate.

In iframe, srcdoc attribute seems as secure (insecure) as data: URL in 
src, so should it be removed from the spec?

Restriction of data: URL to iframe.src can also be workarounded by 
creating an iframe with src="about:blank", and then manipulate  its DOM 
as your wish.

On Web Worker, according to current spec 
(http://dev.w3.org/html5/workers/#dedicated-workers-and-the-worker-interface
), data: URL and same-origin blob: URL are allowed as worker URL:

Firefox accepts data: URL as worker URL, and I remeber that older 
versions of Chrome also did.

So should the Worker spec be changed to disallow data:/blob: URL? This 
change would make it hard or impossible to ship a web app/library that 
uses workers in one file.

Regards,
   Duan Yao

Received on Tuesday, 28 April 2015 02:37:50 UTC