[whatwg] Security restriction allows content thievery

Adam Barth w3c at adambarth.com
Fri Sep 7 10:03:12 PDT 2012


On Thu, Sep 6, 2012 at 9:53 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Fri, 7 Sep 2012, Fred Andrews wrote:
>> I think the aim is to have the URL of the page that includes these data:
>> URLs sent to the tracking server?
>
> Ah, I see. So say you have a page A, which itself contains a data: URL,
> and you load that data: URL as page B, and in B there is a link to another
> resource C, the argument here is that in the network request for C, the
> referrer information should be of A, rather than B?
>
> That's an interesting idea... Any browser vendors want to chip in on this?

We're unlikely to implement that in WebKit.  We'd like to keep
documents created by data URLs in a unique origin and avoid leaking
privileges (including the privilege to send a certain Referer into the
iframe).

Adam



More information about the whatwg mailing list