This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
See http://lists.w3.org/Archives/Public/public-webapps/2013OctDec/0622.html
A problem would be that <img src=data:...> is no longer safe as it could execute a network request if the MIME type was text/vcard or some such.
Why would that not be safe? What's the attack vector?
An intranet could have broken (but harmless) code of the form <img src=mailto:test> This would suddenly start issuing network requests and reveal potentially confidential information to the user's email provider. I have a hard time thinking of something better, but it seems unexpected and potentially bad to have network requests for things that were just network errors before.
If a page has <img src=mailto:test>, it's pretty bogus...
Chrome does not appear to implement registerContentHandler() and Gecko does not appear to implement these for fetching (just navigation). I could define these but interest seems limited.
IMHO, we shouldn't worry about <img src=mailto:test>. That's unlikely to be a problem in practice. I'm less sure about content handlers and data URLs...
Adam, but should we make it work at all? I think I'd rather have these only take effect during navigation. That seems much more intuitive.
https://github.com/whatwg/html/issues/198