This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23727 - Same-origin redirect to data URLs should still be same-origin?
Summary: Same-origin redirect to data URLs should still be same-origin?
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-05 17:45 UTC by Anne
Modified: 2014-06-05 08:47 UTC (History)
1 user (show)

See Also:


Attachments

Description Anne 2013-11-05 17:45:52 UTC
This appears to be the current definition in HTML and we are breaking it. That's no good. Whether anyone implements this is another matter.
Comment 1 Anne 2013-11-05 18:28:18 UTC
http://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0180.html

Attack: Site has an open redirect. Can supply same-origin content that would otherwise have been filtered.
Comment 2 Anne 2013-11-05 18:38:33 UTC
See bug 21506 for another discussion on this topic.

Seems like this should be WONTFIX.
Comment 3 Anne 2014-05-18 17:38:21 UTC
Per http://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0473.html we might want to have a different origin handling for data URLs and such altogether.