Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Treat data URLs as same-origin, except for workers #387

Merged
merged 3 commits into from
Sep 15, 2016

Conversation

annevk
Copy link
Member

@annevk annevk commented Sep 14, 2016

HTML gives data URLs a unique origin when navigating to them to prevent
a class of XSS attacks.

Since browsers already largely allow data URLs in all other contexts
this commit aligns with that, opting them into being same-origin
elsewhere.

Workers however are still prevented. It would create problems for
shared workers and potentially also for dedicated workers.

Fixes #381.

HTML gives data URLs a unique origin when navigating to them to prevent
a class of XSS attacks.

Since browsers already largely allow data URLs in all other contexts
this commit aligns with that, opting them into being same-origin
elsewhere.

Workers however are still prevented. It would create problems for
shared workers and potentially also for dedicated workers.

Fixes #381.
@annevk
Copy link
Member Author

annevk commented Sep 14, 2016

Once this lands I should update HTML to remove mention of the flag.

@domenic
Copy link
Member

domenic commented Sep 14, 2016

HTML gives data URLs a unique origin when navigating to them to prevent
a class of XSS attacks.

more accurately "gives Documents created from data URLs", right?

@annevk
Copy link
Member Author

annevk commented Sep 14, 2016

Yeah, that'd be a little better.

@mikewest
Copy link
Member

This patch does what you want it to do, and I think I'm happy with moving Chrome in this direction. LGTM.

<p class="note no-backref">HTML will assign any documents and dedicated workers created from a
<span data-anolis-spec=url title=concept-url>URL</span> whose
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> is "<code>data</code>" an
<span data-anolis-spec=html>opaque origin</span> and it prevents creation of shared workers from
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny nit: perhaps s/and it prevents/, and prevents/

@annevk
Copy link
Member Author

annevk commented Sep 15, 2016

Proposed commit message:

Treat data URLs as same-origin

By-and-large browsers treat data URLs as same-origin, though there 
are some inconsistencies. This change will treat all data URLs, 
regardless of origin, as same-origin from the perspective of Fetch.

HTML will assign a unique opague origin to documents and dedicated
workers created from a data URL.

HTML will also forbid shared workers to be created from data URLs.

See https://github.com/whatwg/html/pull/1782 for the changes made to
HTML.

Service workers already prevent anything but HTTP(S) URLs from 
creating them.

Fixes #381.

@annevk annevk merged commit 6f223de into master Sep 15, 2016
@annevk annevk deleted the data-urls-are-mostly-same-origin branch September 15, 2016 17:50
annevk added a commit that referenced this pull request Oct 12, 2016
Since #387 landed HTML’s change in
whatwg/html#1782 was adjusted a bit for shared
workers.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants