[whatwg] Fetch: cross-origin redirect to a data URL
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Feb 25 12:06:36 PST 2013
On 2/25/13 3:00 PM, Adam Barth wrote:
> Yes, that's to defend against a different sort of attack. In some
> browsers, like Firefox, data URLs inherit the security context of
> their authors.
This is not the case for data: URLs that are the target of a redirect,
for what it's worth. At least in Firefox, last I checked.
The only argument I've seen for Chrome's behavior is in
https://bugzilla.mozilla.org/show_bug.cgi?id=786275
-Boris
More information about the whatwg
mailing list