Treat 'data:' documents as unique, opaque origins #1756
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch changes the handling of 'data:' URLs to which user agents navigate. Rather than inheriting the origin of the settings object responsible for the navigation, they will be treated as unique, opaque origins. This aligns the spec with the behavior found in Chrome, Safari, Opera, and Edge. Closes #1753.
domenic
added
security/privacy
|
LGTM, this does what it intends to do. The original issue hasn't been open for long, though, so I think we should give it just a little bit more time. |
| @@ -79440,6 +79440,10 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span | |||
| <dt id="sandboxOrigin">If the <code>Document</code>'s <span>active sandboxing flag set</span> | |||
| has its <span>sandboxed origin browsing context flag</span> set</dt> | |||
|
|
|||
| <dt>If the <code>Document</code> was generated from a <span data-x="data | |||
| protocol"><code>data:</code> URL</span> found in another <code>Document</code> or in a | |||
| script</dt> | |||
There was a problem hiding this comment.
I suspect we should drop "found in another Document or in a script" here, no? Or is there some subtlety I'm missing?
There was a problem hiding this comment.
No, I was just making the smallest change possible. Dropping the "found in another Document" bit would just mean that we'd also need to change the example in the "some other manner" section. shrug Easy enough.
|
LGTM, will let @foolip decide when to land. |
alice
pushed a commit
to alice/html
that referenced
this pull request
Jan 8, 2019
This patch changes the handling of 'data:' URLs to which user agents navigate. Rather than inheriting the origin of the settings object responsible for the navigation, they will be treated as unique, opaque origins. This aligns the spec with the behavior found in Chrome, Safari, Opera, and Edge. Closes whatwg#1753.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch changes the handling of 'data:' URLs to which user agents
navigate. Rather than inheriting the origin of the settings object
responsible for the navigation, they will be treated as unique,
opaque origins.
This aligns the spec with the behavior found in Chrome, Safari,
Opera, and Edge.
Closes #1753.