11720 2011-01-10 17:15:00 +0000 At the moment, chrome and opera thinks that iframe with source equal to data url has *not* the same origin as parent window's document. I think that this behavior is much more useful, because it can be used as a simpliest way of sandboxing of content. 2011-08-04 05:34:52 +0000 1 1 1 Unclassified HTML WG LC1 HTML5 spec unspecified Other other RESOLVED WONTFIX http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin P3 normal --- 1 contributor ian annevk bzbarsky dbaron fedor ian mike mounir public-html-admin public-html-wg-issue-tracking shadow2531 w3c public-html-bugzilla oldest_to_newest 44003 0 contributor 2011-01-10 17:15:00 +0000 Specification: http://www.whatwg.org/specs/web-apps/current-work/ Section: http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin Comment: At the moment, chrome and opera thinks that iframe with source equal to data url has *not* the same origin as parent window's document. I think that this behavior is much more useful, because it can be used as a simpliest way of sandboxing of content. Posted from: 2.60.105.113 44004 1 940 fedor 2011-01-10 17:18:06 +0000 Created attachment 940 Testcase for browsers As you can see - chrome and opera has no access to document cookies and window.parent, while firefox has. I think that in this case chrome and firefox are right, b/c protocol differs and there no hostname for data-urls. As I'd said this can be used for content-sandboxing and JSONP-sandboxing (in a couple with window.postMessage() API ) 44005 2 annevk 2011-01-10 17:27:49 +0000 Such behavior would not be useful however for <canvas> and data URLs and it would be nice if it was somewhat consistent. 44006 3 fedor 2011-01-10 17:32:51 +0000 Anne: What is "consistent" for you in such case? Treat them as same origin or not? As far as I know, Opera treats those urls as not-same-origin and prevents access from inside and to outside. 44008 4 annevk 2011-01-10 18:07:16 +0000 Consistent would be the same, either way. And what Opera does now can change. I was just stating what I think is most useful for <canvas> and I think that trumps the sandboxing use case, especially as that is already addressed. 44543 5 w3c 2011-01-21 06:14:03 +0000 There's a WebKit bug on matching HTML5 and Firefox in this regard. It's just a bit complicated so I haven't done it yet. 45682 6 ian 2011-02-16 09:35:26 +0000 EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Rejected Change Description: no spec change Rationale: Since we have the srcdoc="" feature now, it's not really a high priority to have data: URLs be useful for this purpose as well. 53960 7 mike 2011-08-04 05:34:52 +0000 mass-move component to LC1 940 2011-01-10 17:18:06 +0000 2011-01-10 17:18:06 +0000 Testcase for browsers index.html text/html 244 fedor PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxib2R5PgogICAgPHNjcmlwdD4KICAgICAgZG9jdW1l bnQuY29va2llID0gJ3Rlc3QnOwogICAgPC9zY3JpcHQ+CiAgICA8aWZyYW1lIHNyYz0iZGF0YTp0 ZXh0L2h0bWw7cGxhaW4sPCFkb2N0eXBlIGh0bWw+PGh0bWw+PGJvZHk+PHNjcmlwdD5hbGVydChk b2N1bWVudC5jb29raWUpOzwvc2NyaXB0PmhlbGxvIHdvcmxkITwvYm9keT48L2h0bWw+IiAvPgog IDwvYm9keT4KPC9odG1sPg==