[whatwg] Security restriction allows content thievery
ian at hixie.ch
Thu Sep 6 21:53:23 PDT 2012
On Fri, 7 Sep 2012, Fred Andrews wrote:
> I think the aim is to have the URL of the page that includes these data:
> URLs sent to the tracking server?
Ah, I see. So say you have a page A, which itself contains a data: URL,
and you load that data: URL as page B, and in B there is a link to another
resource C, the argument here is that in the network request for C, the
referrer information should be of A, rather than B?
That's an interesting idea... Any browser vendors want to chip in on this?
Unless there is browser-vendor interest in implementing this, I don't
intend to add it to the spec, since it seems a little esoteric and could
leak referrers in cases where authors had previously assumed they'd be
safe (e.g. if a Webmail app is opening e-mails in iframes using data: URLs
to prevent the e-mail's images from including the user's webmail client's
URL in the referrer information, or something).
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg