This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 17461 - CORS-enabled fetch supports javascript: and about:blank
Summary: CORS-enabled fetch supports javascript: and about:blank
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
Depends on:
Reported: 2012-06-11 10:41 UTC by contributor
Modified: 2013-04-09 18:18 UTC (History)
5 users (show)

See Also:


Description contributor 2012-06-11 10:41:00 UTC

<track> data: URLs should be supported

Posted from: 2001:4c28:a030:30:450a:b4aa:b818:bf52 by
User agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; en) Presto/2.10.229 Version/11.64
Comment 1 Simon Pieters 2012-06-11 10:45:59 UTC
Using <track src="data:...."> currently seems to fail at the "resource sharing check" since there's no Access-Control-Allow-Origin header.

To make data: URLs function like same-origin for <track>, I think the potentially CORS-enabled fetch algorithm should have an entry point as "If URL is a data: URL" at the top, and then skip the resource sharing check if URL is a data: URL and instead just set result to success.
Comment 2 contributor 2012-07-18 17:59:49 UTC
This bug was cloned to create bug 18295 as part of operation convergence.
Comment 3 Ian 'Hixie' Hickson 2012-08-29 20:27:45 UTC
I've added data:, javascript:, and about:blank. For the current uses of the algorithm, I'm 80% sure this is safe in all cases. We'd better be careful with future uses of this algorithm though.
Comment 4 Simon Pieters 2012-08-30 06:58:30 UTC
javascript: shouldn't be supported generally. Opera deliberately only supports it where it is needed for compat. I don't know for sure what the full list is right now, but <a href>, <area href>, <form action>, <iframe src> and <frame src> are allowed.
Comment 5 Simon Pieters 2012-08-30 08:45:05 UTC
So Opera supports javascript: in browsing contexts and in navigations of browsing contexts. <object src=javascript:> is not supported because it's not a browsing context when the fetch happens. However an <object> that is a browsing context can probably navigate to a javascript: URL.

Additionally, I'm not sure about:blank should be supported here. I think it makes more sense for each thing that uses CORS-enabled fetch and wants to support about:blank to special-case it. (Currently it seems useless for everything that uses CORS-enabled fetch.)
Comment 6 Ian 'Hixie' Hickson 2012-09-11 22:07:03 UTC
I don't see much point in not supporting javascript: and about:blank in these cases.
Comment 7 Simon Pieters 2012-09-12 16:16:09 UTC
We want to limit javascript: as to not increase sites' attack surface. As for about:blank, what's the use case?
Comment 8 Ian 'Hixie' Hickson 2012-09-28 03:51:25 UTC
How does javascript: increase attack surface?

about:blank is there just for consistency. The three groups of URLs are treated similarly throughout.
Comment 9 Simon Pieters 2012-09-28 08:46:53 UTC
Sites that use blacklist-based content filtering get increased attack surface when browsers execute scripts in new places.
Comment 10 Ian 'Hixie' Hickson 2012-09-28 19:52:06 UTC
Sites that use blacklist-based security are doomed. It's dumb for us to try to help them. It just makes them feel safer than they are.
Comment 11 Anne 2012-12-14 22:36:58 UTC
When I looked at this my conclusion was that javascript: should be done during navigation. The others should be supported by fetching, but not after redirects. See also:
Comment 12 Ian 'Hixie' Hickson 2013-02-13 18:12:47 UTC
Ok, for javascript: let's move this to bug 20990. That's the only thing left that people want changing for <track>, right? So we can close this bug?
Comment 13 Ian 'Hixie' Hickson 2013-04-09 18:18:25 UTC
See comment 12.