[whatwg] Fetch: cross-origin redirect to a data URL

Anne van Kesteren annevk at annevk.nl
Thu Feb 28 08:33:57 PST 2013


On Mon, Feb 25, 2013 at 8:06 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 2/25/13 3:00 PM, Adam Barth wrote:
>> Yes, that's to defend against a different sort of attack.  In some
>> browsers, like Firefox, data URLs inherit the security context of
>> their authors.
>
> This is not the case for data: URLs that are the target of a redirect, for
> what it's worth.  At least in Firefox, last I checked.

Does it matter if it's a same-origin redirect though? It seems then it
should be okay (given there's no cross-origin URL in the redirect
chain).


> The only argument I've seen for Chrome's behavior is in
> https://bugzilla.mozilla.org/show_bug.cgi?id=786275

That seems to argue for even stricter rules. Basically stopping
navigation to data URLs.


-- 
http://annevankesteren.nl/



More information about the whatwg mailing list