-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Treat data URLs as same-origin, except for workers #387
Conversation
HTML gives data URLs a unique origin when navigating to them to prevent a class of XSS attacks. Since browsers already largely allow data URLs in all other contexts this commit aligns with that, opting them into being same-origin elsewhere. Workers however are still prevented. It would create problems for shared workers and potentially also for dedicated workers. Fixes #381.
Once this lands I should update HTML to remove mention of the flag. |
more accurately "gives Documents created from data URLs", right? |
Yeah, that'd be a little better. |
This patch does what you want it to do, and I think I'm happy with moving Chrome in this direction. LGTM. |
<p class="note no-backref">HTML will assign any documents and dedicated workers created from a | ||
<span data-anolis-spec=url title=concept-url>URL</span> whose | ||
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> is "<code>data</code>" an | ||
<span data-anolis-spec=html>opaque origin</span> and it prevents creation of shared workers from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tiny nit: perhaps s/and it prevents/, and prevents/
Proposed commit message:
|
Since #387 landed HTML’s change in whatwg/html#1782 was adjusted a bit for shared workers.
HTML gives data URLs a unique origin when navigating to them to prevent
a class of XSS attacks.
Since browsers already largely allow data URLs in all other contexts
this commit aligns with that, opting them into being same-origin
elsewhere.
Workers however are still prevented. It would create problems for
shared workers and potentially also for dedicated workers.
Fixes #381.