[whatwg] Fetch: cross-origin redirect to a data URL

Adam Barth w3c at adambarth.com
Sun Feb 24 20:30:30 PST 2013

I don't think there is a security problem with that.  It's just a
question of how much it complicates the model.


On Sun, Feb 24, 2013 at 10:32 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
> Say <img> does a cross-origin request. The response to that request is
> a redirect with the appropriate CORS headers set. The new location is
> a data URL. Should that URL be tainted or not? I tend to think we
> should make that work.
> (By the way, if you're interested. I'm working on a new specification
> that merges HTML fetch and CORS, named Fetch.
> http://wiki.whatwg.org/wiki/Fetch has the rough outline so far,
> including an algorithm at the bottom. The idea is that everything in
> the platform that does network requests ties into that (in particular
> the fetch function which dispatches as appropriate).)
> --
> http://annevankesteren.nl/

More information about the whatwg mailing list