[whatwg] Security restriction allows content thievery

Ian Hickson ian at hixie.ch
Thu Sep 6 21:53:23 PDT 2012

On Fri, 7 Sep 2012, Fred Andrews wrote:
> I think the aim is to have the URL of the page that includes these data: 
> URLs sent to the tracking server?

Ah, I see. So say you have a page A, which itself contains a data: URL, 
and you load that data: URL as page B, and in B there is a link to another 
resource C, the argument here is that in the network request for C, the 
referrer information should be of A, rather than B?

That's an interesting idea... Any browser vendors want to chip in on this?

Unless there is browser-vendor interest in implementing this, I don't 
intend to add it to the spec, since it seems a little esoteric and could 
leak referrers in cases where authors had previously assumed they'd be 
safe (e.g. if a Webmail app is opening e-mails in iframes using data: URLs 
to prevent the e-mail's images from including the user's webmail client's 
URL in the referrer information, or something).

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list