23727 2013-11-05 17:45:52 +0000 Same-origin redirect to data URLs should still be same-origin? 2014-06-05 08:47:20 +0000 1 1 1 Unclassified WHATWG Fetch unspecified PC All RESOLVED FIXED P2 normal Unsorted 1 annevk annevk mike sideshowbarker+fetchspec oldest_to_newest 95818 0 annevk 2013-11-05 17:45:52 +0000 This appears to be the current definition in HTML and we are breaking it. That's no good. Whether anyone implements this is another matter. 95823 1 annevk 2013-11-05 18:28:18 +0000 http://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0180.html Attack: Site has an open redirect. Can supply same-origin content that would otherwise have been filtered. 95825 2 annevk 2013-11-05 18:38:33 +0000 See bug 21506 for another discussion on this topic. Seems like this should be WONTFIX. 106291 3 annevk 2014-05-18 17:38:21 +0000 Per http://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0473.html we might want to have a different origin handling for data URLs and such altogether. 107326 4 annevk 2014-06-05 08:47:20 +0000 https://github.com/whatwg/fetch/commit/5b64685a97a7d6f24814172de68399d0225a4cae