在 2015年04月27日 22:58, Jonas Sicking 写道:
On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalm...@gmail.com> wrote:
On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <ann...@annevk.nl> wrote:
Currently Chrome supports data URLs inside EventSource whereas in
Firefox EventSource is restricted to http/https URLs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1156137
What's the convergence we want here?
It's rather frustrating when data: urls don't work in various places;
they're an invaluable debugging tool, at minimum. They should
generally be treated as the same security level as the page, no?
There's definitely exceptions to this. For example chrome doesn't run
a <iframe src="data:..."> with the same origin as its parent. For IMHO
good reasons since it's a potential XSS vector if a website accepts
URLs from third parties and render them inside a child <iframe>.
The same problem exists with accepting data: URLs in "new Worker(...)".
I think this is unfortunate.
In iframe, srcdoc attribute seems as secure (insecure) as data: URL in
src, so should it be removed from the spec?
Restriction of data: URL to iframe.src can also be workarounded by
creating an iframe with src="about:blank", and then manipulate its DOM
as your wish.
On Web Worker, according to current spec
(http://dev.w3.org/html5/workers/#dedicated-workers-and-the-worker-interface
), data: URL and same-origin blob: URL are allowed as worker URL:
Firefox accepts data: URL as worker URL, and I remeber that older
versions of Chrome also did.
So should the Worker spec be changed to disallow data:/blob: URL? This
change would make it hard or impossible to ship a web app/library that
uses workers in one file.
Regards,
Duan Yao
