On 6/2/14, 9:00 AM, Anne van Kesteren wrote:
You're not persuaded by the attack scenario?
Correct. I mean, the same scenario applies to srcdoc, document.write() into an iframe, etc. Why are data urls special?
Provided we agree that it is always unset after any redirect, yes.
We agree on that. -Boris