On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalm...@gmail.com> wrote: > On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >> Currently Chrome supports data URLs inside EventSource whereas in >> Firefox EventSource is restricted to http/https URLs: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1156137 >> >> What's the convergence we want here? > > It's rather frustrating when data: urls don't work in various places; > they're an invaluable debugging tool, at minimum. They should > generally be treated as the same security level as the page, no?
There's definitely exceptions to this. For example chrome doesn't run a <iframe src="data:..."> with the same origin as its parent. For IMHO good reasons since it's a potential XSS vector if a website accepts URLs from third parties and render them inside a child <iframe>. The same problem exists with accepting data: URLs in "new Worker(...)". So no, I don't think it should be treated as the same security level as the page. For data-loading APIs, rather than script-running APIs, I see less of such risk though. / Jonas
