Hey Everyone,

we plan to change the handling of data: URLs for FF57. Rather than inheriting 
the origin of the settings object responsible for the navigation, data: URIs 
will be treated as unique, opaque origins [0]. In other words, data: URLs 
loaded inside an iframe are not same-origin with their including context 
anymore. Not only will that behavior mitigate the risk of XSS, it will also 
make Firefox spec compliant [0] and compliant with the behavior of other 
browsers which all have been shipping that behavior for a long time.

Over the past weeks we have converted hundreds of tests within our test suite 
to comply with the new data: URI inheritance model. Please note that we have 
test coverage for both worlds, the new, as well as the old behavior. By now we 
have a green TRY run for Linux, but have to do a few follow ups for other 
platforms since some of the failing tests were disabled on Linux. Anyway, 
currently this feature lives behind the pref 
|security.data_uri.unique_opaque_origin| which we plan to flip for FF57 so 
data: documents become unique, opaque, origins.

Even though we have good test coverage we are currently extending web platform 
tests to make sure behavior is consistent across browsers. We don’t think that 
adding those additional tests should hold us back from flipping the pref. 
Ideally we suggest to flip the pref rather sooner than later to eliminate 
potential issues early in Nightly.

Overall progress of the project will be tracked here [1].

 Christoph, Ethan, Henry, and Yoshi

[0] https://html.spec.whatwg.org/multipage/origin.html#origin 
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406 
dev-platform mailing list

Reply via email to