[whatwg] Fetch: cross-origin redirect to a data URL

Adam Barth w3c at adambarth.com
Mon Feb 25 12:00:21 PST 2013

On Mon, Feb 25, 2013 at 1:49 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
> On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth <w3c at adambarth.com> wrote:
>> I don't think there is a security problem with that.  It's just a
>> question of how much it complicates the model.
> Well currently for http://software.hixie.ch/utilities/cgi/data/data
> Chrome generates a network error if you hit "Generate" with the reason
> "unsafe redirect". And that's a simple http to data URL redirect
> without CORS coming into play.

Yes, that's to defend against a different sort of attack.  In some
browsers, like Firefox, data URLs inherit the security context of
their authors.  If a web site as an open redirect, an attacker might
be able to trick the site into redirecting to a data URL of the
attackers choice and thereby XSS the site.

Chrome wouldn't be vulnerable to that attack because Chrome runs data
URLs in unique origins, but Chrome blocks those sorts of redirects so
that web sites don't use them and don't cause trouble for Firefox.


More information about the whatwg mailing list