Handling of data URLs #111
Comments
|
Thank you. To answer your questions. 1) XMLHttpRequest should indeed set that flag. 2) All redirects should unset the same-origin data-URL flag. What makes you think it is only unset for certain modes? |
|
How do you want to appear in acknowledgments section by the way? As Hiroshige Hayashizaki (I'm assuming that's you) or also your name in kanji? |
|
Thanks!
Ah, my statement was ambiguous; I meant:
"Hiroshige Hayashizaki" is fine. Thanks! |
…han context (which is gone from Fetch). See whatwg/fetch#111 for details on the first change.
|
Okay. So if mode is "no-cors" you can end up with an opaque response that is a data URL. The idea behind this was e.g., Similar with |
|
@hiroshige-g I think I can close this, correct? |
|
Yes, thanks for fixing the spec for 1) and clarification for 2)! (However, for 2), I expect redirects to data URLs in no-cors mode will be disabled in Chromium, at least in the initial support for data URLs, because redirects to data URLs are intentionally forbidden in Chromium as I mentioned above.) |
|
@hiroshige-g you mean that |
|
@annevk Could you let me know the test case you used? That would be quite helpful for us. |
|
I don't remember, it seems like did not test properly. It also seems |
|
https://bugzilla.mozilla.org/show_bug.cgi?id=1018872 has additional context for the mess around data URLs. |
|
@hiroshige-g, @bzbarsky objected to changing the handling of data URLs. He would favor that we retain the old handling where you can redirect to a data URL, but the result would be an opaque response. Both cases special case the data URLs in the handling of redirects, but arguably marking them opaque (and therefore failing "cors") is a bit more principled and consistent. What do you think? Reopening for now. |
|
Why does this require special casing of data: URLs? It seems to me like the principled thing is that data: can be loaded anywhere you load things, but defaults to CORS-cross-origin unless opted in otherwise by the caller. That should make the opaque response here automatic, no? And of course a bunch of the platform needs to opt in to data: being considered CORS-same-origin. |
|
When we last discussed this we decided that a redirect should make a data URL response opaque. |
|
Right, that's the "default" data behavior. |
|
No, even in the case of this opt-in flag being set, since the person using this API might not expect it to come from a redirect. (E.g., an open redirect or a hostile cross-origin URL.) |
|
The opt-in flag is on a per-request basis. So it would have to be set by the redirect code to get set here. |
|
Ah, there is the misunderstanding. The request you pass to fetch is kept around. That's why redirects will have to unset the flag. |
|
We might be defining the term "request" differently. I'm talking about whatever object there are two of ("pre-redirect" and "post-redirect") when an HTTP redirect happens. That's the object that the flag should live on. |
|
That is, this flag is not a property of a fetch wholesale but rather a property of a single actual handling of a URL, whatever you want to call that thing. |
|
There's no such thing conceptually. But unsetting the flag during a redirect has the same effect and was what was in the specification before. |
|
@hiroshige-g @mikewest would you be okay with me changing this back in Fetch to match what @bzbarsky wants? Either way it's a special case from the point of view of Fetch' algorithms, but allowing redirects to data URLs would not break http://software.hixie.ch/utilities/cgi/data/data for instance, which seems nice. |
|
It is fine with me that the spec allows redirects to data URLs in no-cors mode while Chromium reject them per Chromium-specific policy. |
|
I would want Chromium to not have Chromium-specific policies, ideally. |
|
We're basically honoring abarth's comment in https://crbug.com/64092. It doesn't prevent us from revisiting it but it requires consulting our security team. |
|
It seems like abarth's concern is primarily making sure you end up with the right origin ("security context"). That is handled pretty well for navigations in the specification so I think we should just allow this and hope Chromium relaxes this constraint at some point. I don't see it helping much to turn this into a network error. |
The rationale for forbidding redirects to data URLs was not sound enough. Therefore this commit reverts f986c43 which introduced the restriction.
|
Done, the specification now allows redirects to data URLs again. Chrome will have to figure out how Firefox managed to do that securely, I suppose. Per the specification it should be secure. |
|
Some related tests in web-platform-tests/wpt#3644 |
|
As I read the spec now, redirections to data URLs are triggering a network error, as per step 4 of section 5.4, which would align with Chrome behavior. Where was it discussed? |
|
See #309, but note that HTML's navigate has its own redirect logic that for now still allows data URLs. This is only for redirects from other endpoints, such as |
|
I don't think WebKit is matching this. Doing a quick check, firefox seems to load redirected data URLs for img/script, treating them as same origin I believe. |
|
Is it just data URLs or are there other URL schemes you also allow redirects to from these contexts? I suppose I can file a new issue on this. Note that treating them as same-origin is potentially leaky (although not if you also treat them as same-origin inside |
|
data URLs is the only case I encountered. I would restrict the issue to that scheme. |
Hi,
I encountered some questions while I'm implementing Fetch API + data scheme in Chromium/Blink.
Question 1: Are XHRs to data URLs intentionally prohibited, or just XHR's spec lacks same-origin data-URL flag setting or so?
(I expect the latter because I thought previously we could use XHRs to data URLs)
Fetch API + data URLs: fetch('data://...') is resolved for all modes because same-origin data-URL flag is set in Request() constructor.
However, all XHRs to 'data://...' are rejected according to the spec [https://xhr.spec.whatwg.org/], because same-origin data-URL flag is not set (and the default is "unset") and mode is CORS or CORS-with-forced-preflight.
Question 2: What is the intention of unsetting same-origin data-URL flag on redirect? Are redirects from HTTP(S) to data URLs intentionally allowed in no-cors mode?
Example: fetch('http://example.com/A') where the response from 'http://example.com/A' returns a 'Location: data://...' header.
In such cases, on redirect, same-origin data-URL flag is unset and thus fetch is rejected, except for when mode is "no-cors".
In "no-cors" mode, the case of <request's mode is "no-cors"> is applied and opaque response is returned.
Is "same-origin data-URL flag" introduced to forbid redirects to data URLs in general?
If so, such redirects should be rejected also in "no-cors" mode.
Related Chromium bugs:
Redirects to data URLs are intentionally forbidden in Chromium
(so perhaps redirects to data URLs in Fetch API will be also rejected):
https://code.google.com/p/chromium/issues/detail?id=64092
https://code.google.com/p/chromium/issues/detail?id=272072
Implementing Fetch API + data URLs:
https://code.google.com/p/chromium/issues/detail?id=521475
The text was updated successfully, but these errors were encountered: