On 6/2/14, 10:15 AM, Anne van Kesteren wrote:
The attack is the URL. A developer has to specifically consider data URLs and realize their implications.
Note that this is already true for javascript: URLs in @src values (but not in location sets and the like, I agree).
-Boris