Skip to content

Commit

Permalink
Treat data URLs as same-origin
Browse files Browse the repository at this point in the history
By-and-large browsers treat data URLs as same-origin, though there 
are some inconsistencies. This change will treat all data URLs, 
regardless of origin, as same-origin from the perspective of Fetch.

HTML already assigns a unique opague origin to documents created from
a data URL and the plan of record is to do so for dedicated workers
too.

HTML will likely also forbid shared workers to be created from data 
URLs.

See whatwg/html#1782 for the proposed changes 
to HTML. (This has not landed yet, if that PR is tweaked further the 
note added here might need some tweaks.)

Service workers already prevent anything but HTTP(S) URLs from 
creating them.

Fixes #381.
  • Loading branch information
annevk authored Sep 15, 2016
1 parent 72fc2e7 commit 6f223de
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 21 deletions.
23 changes: 12 additions & 11 deletions Overview.html
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

<p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
<h1 id="cors">Fetch</h1>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-14-september-2016">Living Standard — Last Updated 14 September 2016</h2>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-15-september-2016">Living Standard — Last Updated 15 September 2016</h2>

<dl>
<dt>Participate:
Expand Down Expand Up @@ -951,10 +951,6 @@ <h4 id="requests"><span class="secno">3.1.5 </span>Requests</h4>
<dfn data-dfn-for="request" data-export="" id="omit-origin-header-flag">omit-<code>Origin</code>-header flag</dfn>. Unless stated
otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn data-dfn-for="request" data-export="" id="same-origin-data-url-flag">same-origin data-URL flag</dfn>. Unless stated otherwise it is
unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn data-dfn-for="request" data-export="" id="concept-request-referrer" title="concept-request-referrer">referrer</dfn>, which is
"<code>no-referrer</code>", "<code>client</code>", or a
Expand Down Expand Up @@ -2484,9 +2480,7 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
<a href="#concept-request-origin" title="concept-request-origin">origin</a> and <i>CORS flag</i> is unset
<dt><var>request</var>'s
<a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is
"<code title="">data</code>" and <var>request</var>'s
<a href="#same-origin-data-url-flag">same-origin data-URL flag</a> is set
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is "<code>data</code>"
<dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
"<code title="">navigate</code>" or "<code title="">websocket</code>"

Expand All @@ -2499,6 +2493,16 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
using <var>request</var>.
</ol>

<p class="note no-backref">HTML assigns any documents and dedicated workers created from
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> whose
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is "<code>data</code>" a
unique <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque">opaque origin</a>, and prevents creation of shared workers
from such <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a>. Service workers can only be
created from <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> whose
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is an
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</a>.
<a href="#refsHTML">[HTML]</a> <a href="#refsSW">[SW]</a>

<dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
"<code title="">same-origin</code>"

Expand Down Expand Up @@ -3059,8 +3063,6 @@ <h3 id="http-redirect-fetch"><span class="secno">5.4 </span>HTTP-redirect fetch<
<li><p>Increase <var>request</var>'s
<a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> by one.

<li><p>Unset <var title="">request</var>'s <a href="#same-origin-data-url-flag">same-origin data-URL flag</a>.

<li><p>If <var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is "<code>cors</code>",
<var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> is <em>not</em>
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> with <var>actualResponse</var>'s
Expand Down Expand Up @@ -4683,7 +4685,6 @@ <h3 id="request-class"><span class="secno">6.3 </span>Request class</h3>
<a href="#concept-request-origin" title="concept-request-origin">origin</a> is "<code>client</code>",
<a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a> is <var>request</var>'s
<a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a>,
<a href="#same-origin-data-url-flag">same-origin data-URL flag</a> is set,
<a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is <var>request</var>'s
<a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>,
<a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> is
Expand Down
21 changes: 11 additions & 10 deletions Overview.src.html
Original file line number Diff line number Diff line change
Expand Up @@ -881,10 +881,6 @@ <h4>Requests</h4>
<dfn data-export data-dfn-for=request>omit-<code>Origin</code>-header flag</dfn>. Unless stated
otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn data-export data-dfn-for=request>same-origin data-URL flag</dfn>. Unless stated otherwise it is
unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-referrer data-export data-dfn-for=request>referrer</dfn>, which is
"<code>no-referrer</code>", "<code>client</code>", or a
Expand Down Expand Up @@ -2414,9 +2410,7 @@ <h3>Main fetch</h3>
<span title=concept-request-origin>origin</span> and <i>CORS flag</i> is unset
<dt><var>request</var>'s
<span title=concept-request-current-url>current url</span>'s
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> is
"<code title>data</code>" and <var>request</var>'s
<span>same-origin data-URL flag</span> is set
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> is "<code>data</code>"
<dt><var>request</var>'s <span title=concept-request-mode>mode</span> is
"<code title>navigate</code>" or "<code title>websocket</code>"

Expand All @@ -2429,6 +2423,16 @@ <h3>Main fetch</h3>
using <var>request</var>.
</ol>

<p class="note no-backref">HTML assigns any documents and dedicated workers created from
<span data-anolis-spec=url title=concept-url>URLs</span> whose
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> is "<code>data</code>" a
unique <span data-anolis-spec=html>opaque origin</span>, and prevents creation of shared workers
from such <span data-anolis-spec=url title=concept-url>URLs</span>. Service workers can only be
created from <span data-anolis-spec=url title=concept-url>URLs</span> whose
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> is an
<span data-anolis-spec=url>HTTP(S) scheme</span>.
<span data-anolis-ref>HTML</span> <span data-anolis-ref>SW</span>

<dt><var>request</var>'s <span title=concept-request-mode>mode</span> is
"<code title>same-origin</code>"

Expand Down Expand Up @@ -2989,8 +2993,6 @@ <h3>HTTP-redirect fetch</h3>
<li><p>Increase <var>request</var>'s
<span title=concept-request-redirect-count>redirect count</span> by one.

<li><p>Unset <var title>request</var>'s <span>same-origin data-URL flag</span>.

<li><p>If <var>request</var>'s <span title=concept-request-mode>mode</span> is "<code>cors</code>",
<var>request</var>'s <span title=concept-request-origin>origin</span> is <em>not</em>
<span data-anolis-spec=html>same origin</span> with <var>actualResponse</var>'s
Expand Down Expand Up @@ -4613,7 +4615,6 @@ <h3>Request class</h3>
<span title=concept-request-origin>origin</span> is "<code>client</code>",
<span>omit-<code>Origin</code>-header flag</span> is <var>request</var>'s
<span>omit-<code>Origin</code>-header flag</span>,
<span>same-origin data-URL flag</span> is set,
<span title=concept-request-referrer>referrer</span> is <var>request</var>'s
<span title=concept-request-referrer>referrer</span>,
<span title=concept-request-referrer-policy>referrer policy</span> is
Expand Down

0 comments on commit 6f223de

Please sign in to comment.