This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
This appears to be the current definition in HTML and we are breaking it. That's no good. Whether anyone implements this is another matter.
http://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0180.html Attack: Site has an open redirect. Can supply same-origin content that would otherwise have been filtered.
See bug 21506 for another discussion on this topic. Seems like this should be WONTFIX.
Per http://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0473.html we might want to have a different origin handling for data URLs and such altogether.
https://github.com/whatwg/fetch/commit/5b64685a97a7d6f24814172de68399d0225a4cae