[whatwg] Security restriction allows content thievery

Ian Hickson ian at hixie.ch
Thu Sep 6 11:22:42 PDT 2012

On Mon, 16 Jul 2012, Robert Eisele wrote:
> Browsers are very restrictive when one tries to access the contents of 
> different domains (including the scheme), embedded via framesets. This 
> is normally a good practice, but I'd suggest to weaken this restriction 
> for the data: URI schema.

It already is. The origin of documents and images using data: URLs is 
essentially the origin of wherever you found the URL.

> I'm currently building an analysis system like Google Analytics, which 
> gets embedded into a website via a small JavaScript snippet. When I 
> analyzed the data, I came across a very interesting trick because I got 
> a lot of requests (with the data from location.href) where the entire 
> website was embedded into a data:text/html URI - except that all ads of 
> the page were replaced. Fortunately, my tracking code has been left 
> without modifications.


> But the scary thing is that this way you can monetize foreign content by 
> simply embedding it somewhere you can direct traffic to. That's pretty 
> clever, because the original site owner doesn't notice this abuse due to 
> the fact that top.location.href isn't readable. Or even worse, he would 
> never notice it at all when he doesn't sniff the URI with JavaScript, 
> because image files would have no referrer.
> My final approach to convict the abuser is based on the fact, that the 
> JavaScript was dynamically loaded from my server and that I can write to 
> location.href. So I added this piece of code:
> if (top.location.protocol === 'data:') {
>     top.location.href = 'http://example.com/trap/';
> }
> But even then the referrer will not be passed to the server. So my 
> proposal is that the data URI schema gets an exception on this security 
> behavior.

I don't understand. What referrer are you trying to set? To what?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list