Re: Data uri origin inheritance

On 1/15/14 8:00 AM, Joćo Eiras wrote:
>  From what I understood, if I have some navigation action from A to B
> with a data uri, B will inherit the origin from A

How are you doing the navigation, exactly?

> But if that navigation action is triggered by a script, B
> will inherit the origin of the Window under which the script ran. Correct ?

It will alias the origin and effective script origin of whatever window 
was incumbent at the point the navigation was triggered.

> Is there any
> situation where the script would be in a different origin from A ? The
> only thing I came up with was fiddling with document.domain

I believe that's correct for the origin bits.

But note that there are things other than origin that we may want to 
inherit here.  For example, CSP settings.

> have A still, have a third C document in an iframe which runs in a sub-domain
> of A, assign document.domain and run a script in C which tells A to
> navigate to the data uri.

I think that testcase is backwards.  You want to run a script in C 
(whether triggered by A or not) and that script directly navigates B. 
In that situation B will alias the origin of C.

> In what other ways is this possible to test ? What's the use case for
> this ?

The use case for data: URIs aliasing origins at all?  Or for the 
specific determination of which origin to alias when you're navigated 
from JS and the callstack has stackframes from different origins?

-Boris

Received on Wednesday, 15 January 2014 15:34:43 UTC