- From: duanyao <duanyao@ustc.edu>
- Date: Tue, 28 Apr 2015 02:37:04 +0000
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: WHATWG <whatwg@whatwg.org>
在 2015年04月27日 22:58, Jonas Sicking 写道: > On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote: >> On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >>> Currently Chrome supports data URLs inside EventSource whereas in >>> Firefox EventSource is restricted to http/https URLs: >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1156137 >>> >>> What's the convergence we want here? >> It's rather frustrating when data: urls don't work in various places; >> they're an invaluable debugging tool, at minimum. They should >> generally be treated as the same security level as the page, no? > There's definitely exceptions to this. For example chrome doesn't run > a <iframe src="data:..."> with the same origin as its parent. For IMHO > good reasons since it's a potential XSS vector if a website accepts > URLs from third parties and render them inside a child <iframe>. > > The same problem exists with accepting data: URLs in "new Worker(...)". I think this is unfortunate. In iframe, srcdoc attribute seems as secure (insecure) as data: URL in src, so should it be removed from the spec? Restriction of data: URL to iframe.src can also be workarounded by creating an iframe with src="about:blank", and then manipulate its DOM as your wish. On Web Worker, according to current spec (http://dev.w3.org/html5/workers/#dedicated-workers-and-the-worker-interface ), data: URL and same-origin blob: URL are allowed as worker URL: Firefox accepts data: URL as worker URL, and I remeber that older versions of Chrome also did. So should the Worker spec be changed to disallow data:/blob: URL? This change would make it hard or impossible to ship a web app/library that uses workers in one file. Regards, Duan Yao
Received on Tuesday, 28 April 2015 02:37:50 UTC