On Mon, Feb 25, 2013 at 8:06 PM, Boris Zbarsky <[email protected]> wrote: > On 2/25/13 3:00 PM, Adam Barth wrote: >> Yes, that's to defend against a different sort of attack. In some >> browsers, like Firefox, data URLs inherit the security context of >> their authors. > > This is not the case for data: URLs that are the target of a redirect, for > what it's worth. At least in Firefox, last I checked.
Does it matter if it's a same-origin redirect though? It seems then it should be okay (given there's no cross-origin URL in the redirect chain). > The only argument I've seen for Chrome's behavior is in > https://bugzilla.mozilla.org/show_bug.cgi?id=786275 That seems to argue for even stricter rules. Basically stopping navigation to data URLs. -- http://annevankesteren.nl/
