On Mon, Apr 27, 2015 at 3:58 PM, Jonas Sicking <jo...@sicking.cc> wrote: > On Mon, Apr 27, 2015 at 2:20 PM, Tab Atkins Jr. <jackalm...@gmail.com> wrote: >> On Mon, Apr 27, 2015 at 7:00 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >>> Currently Chrome supports data URLs inside EventSource whereas in >>> Firefox EventSource is restricted to http/https URLs: >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1156137 >>> >>> What's the convergence we want here? >> >> It's rather frustrating when data: urls don't work in various places; >> they're an invaluable debugging tool, at minimum. They should >> generally be treated as the same security level as the page, no? > > There's definitely exceptions to this. For example chrome doesn't run > a <iframe src="data:..."> with the same origin as its parent. For IMHO > good reasons since it's a potential XSS vector if a website accepts > URLs from third parties and render them inside a child <iframe>. > > The same problem exists with accepting data: URLs in "new Worker(...)". > > So no, I don't think it should be treated as the same security level > as the page. > > For data-loading APIs, rather than script-running APIs, I see less of > such risk though.
Yeah, I can see the potential risks for script-running APIs, but this is definitely a data-loading API. ^_^ ~TJ
