11720 – At the moment, chrome and opera thinks that iframe with source equal to data url has *not* the same origin as parent window's document. I think that this behavior is much more useful, because it can be used as a simpliest way of sandboxing of content.

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 11720 - At the moment, chrome and opera thinks that iframe with source equal to data url has *not* the same origin as parent window's document. I think that this behavior is much more useful, because it can be used as a simpliest way of sandboxing of content.

Summary: At the moment, chrome and opera thinks that iframe with source equal to data ...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	LC1 HTML5 spec (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-01-10 17:15 UTC by contributor
Modified:	2011-08-04 05:34 UTC (History)
CC List:	11 users (show)

See Also:

Attachments
Testcase for browsers (244 bytes, text/html) 2011-01-10 17:18 UTC, Fedor Indutny	Details

Description contributor 2011-01-10 17:15:00 UTC

Specification: http://www.whatwg.org/specs/web-apps/current-work/
Section: http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin

Comment:
At the moment, chrome and opera thinks that iframe with source equal to data
url has *not* the same origin as parent window's document. I think that this
behavior is much more useful, because it can be used as a simpliest way of
sandboxing of content.

Posted from: 2.60.105.113

Comment 1 Fedor Indutny 2011-01-10 17:18:06 UTC

Created attachment 940 [details]
Testcase for browsers

As you can see - chrome and opera has no access to document cookies and window.parent, while firefox has.

I think that in this case chrome and firefox are right, b/c protocol differs and there no hostname for data-urls.

As I'd said this can be used for content-sandboxing and JSONP-sandboxing (in a couple with window.postMessage() API )

Comment 2 Anne 2011-01-10 17:27:49 UTC

Such behavior would not be useful however for <canvas> and data URLs and it would be nice if it was somewhat consistent.

Comment 3 Fedor Indutny 2011-01-10 17:32:51 UTC

Anne:
What is "consistent" for you in such case?
Treat them as same origin or not?

As far as I know, Opera treats those urls as not-same-origin and prevents access from inside and to outside.

Comment 4 Anne 2011-01-10 18:07:16 UTC

Consistent would be the same, either way. And what Opera does now can change. I was just stating what I think is most useful for <canvas> and I think that trumps the sandboxing use case, especially as that is already addressed.

Comment 5 Adam Barth 2011-01-21 06:14:03 UTC

There's a WebKit bug on matching HTML5 and Firefox in this regard.  It's just a bit complicated so I haven't done it yet.

Comment 6 Ian 'Hixie' Hickson 2011-02-16 09:35:26 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: Since we have the srcdoc="" feature now, it's not really a high priority to have data: URLs be useful for this purpose as well.

Comment 7 Michael[tm] Smith 2011-08-04 05:34:52 UTC

mass-move component to LC1