[whatwg] Fetch: cross-origin redirect to a data URL
Anne van Kesteren
annevk at annevk.nl
Thu Feb 28 08:33:57 PST 2013
On Mon, Feb 25, 2013 at 8:06 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 2/25/13 3:00 PM, Adam Barth wrote:
>> Yes, that's to defend against a different sort of attack. In some
>> browsers, like Firefox, data URLs inherit the security context of
>> their authors.
>
> This is not the case for data: URLs that are the target of a redirect, for
> what it's worth. At least in Firefox, last I checked.
Does it matter if it's a same-origin redirect though? It seems then it
should be okay (given there's no cross-origin URL in the redirect
chain).
> The only argument I've seen for Chrome's behavior is in
> https://bugzilla.mozilla.org/show_bug.cgi?id=786275
That seems to argue for even stricter rules. Basically stopping
navigation to data URLs.
--
http://annevankesteren.nl/
More information about the whatwg
mailing list