Same-origin data-URL flag only for fetch and XHR? #381
Comments
|
That's interesting. I would have thought |
|
<script>
window.onerror = function(message, source, lineno, colno, error)
{
console.log(message + "\nReceived error from \"" + source + "\". Error location is " + lineno + ":" + colno + ".");
}
var script = document.createElement("script");
script.crossOrigin = "";
script.src = "data:text/script, throw 'PASS: my error is rich!'";
document.body.appendChild(script);
</script>
Firefox, Chrome and WebKit behave differently. |
<script>
window.onerror = function(message, source, lineno, colno, error)
{
console.log(message + "\nReceived error from \"" + source + "\". Error location is " + lineno + ":" + colno + ".");
}
var script = document.createElement("script");
script.crossOrigin = "";
script.src = "data:text/script, throw 'PASS: my error is rich!'";
document.body.appendChild(script);
</script> |
The snippet @youennf posted does not enrich the More generally, I know that we allow extraction of pixels from |
|
Firefox does not seem to fully treat data URLs scripts as same-origin: the error is only partially enriched. Or maybe there is a bug preventing to enrich the error. Another example is ShapeOutside CSS property which must be "potentially CORS-enabled fetch"ed in "anonymous" mode. In WebKit, we recently set the same-origin data-url flag for this one. I don't know the historical reasons of the same-origin data URL flag. |
|
@mikewest the specification is largely aligned with Chrome already. That is why it has the flag to make data URLs same-origin in a limited number of contexts. The problem here is that Chrome is not consistent. E.g., not failing the load for |
I was being flippant. By "the spec", I was talking more about HTML "origin of a document" than Fetch.
Yup. I said "ideally" because I agree with you that Chrome's current behavior is weird in some places. I suspect that @tyoshino might know more about Chrome's CORS exceptions for |
Is there an issue on that? I'm not sure what this is referring to. |
|
I enabled data URL support for XHR in Chrome by a bit tricky way (changed WebURLLoaderImpl to virtually issue "Access-Control-Allow-Origin: *" to blink) 2 years ago (http://crbug.com/308768). It's not making data URLs handled as same-origin, but as cross-origin resource but with the CORS header to allow access.
At the layer of checking same/cross-origin-ness, there could be some special treatment for data scheme, but I'm not so much familiar with. |
|
This solution might cause issues with credentials then, not particularly important but still. If there is no good reason for preventing data URLs to be same-origin, let's make them same-origin. |
|
@annevk: Filed whatwg/html#1753 for discussion. |
|
@youennf Blink is opposed to making data URLs same-origin. https://bugzilla.mozilla.org/show_bug.cgi?id=255107 has some of their rationale. However, Blink does treat data URLs as same-origin in certain contexts (when not the result of a redirect): I think my takeaway from this issue is that we should use this flag for |
|
Thanks for the pointer, I'll check that. It would be good to set that flag for |
|
It was added in whatwg/html#499 ... but img-environment-changes also needs it. :-( (Yes, we should factor out the common bits.) |
|
Great, does it cover also https://drafts.csswg.org/css-shapes/#propdef-shape-outside? |
|
@youennf no, it would not cover that necessarily. CSS doesn't define how it fetches resources, so it's unclear what code paths CSS would (re)use. |
|
This spec says: In WebKit, the SameOrigin data URL flag is also set. |
|
@youennf I guess they need to update to integrate with Fetch then. |
All of that only applies to navigation and maybe worker loads, not any other fetches, afaict. |
|
Yeah, given whatwg/html#1243 (comment) onwards perhaps we should remove this flag and just special case navigation and workers. |
|
Sounds like a good plan to me. |
HTML gives data URLs a unique origin when navigating to them to prevent a class of XSS attacks. Since browsers already largely allow data URLs in all other contexts this commit aligns with that, opting them into being same-origin elsewhere. Workers however are still prevented. It would create problems for shared workers and potentially also for dedicated workers. Fixes #381.
|
Created a PR, review appreciated. |
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1243, closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
|
Note that in whatwg/html#1243 (comment) @bzbarsky proposes a plan different from what I expected. Namely to allow data URLs for (I assume just dedicated) workers, but make them create a worker in an opaque origin. |
|
So I won't be landing this right now until the details of that alternative plan are sorted, which I guess will take a while given all the timezone issues. |
Fire the final progress event before switching the state to DONE in “handle response-end-of-body”. And no longer fire events named progress in “request error steps”. Fixes #72. (This commit also removes the same-origin data-URL flag that is about to be removed in Fetch per whatwg/fetch#381. That change has no impact on implementations.)
Fire the final progress event before switching the state to DONE in “handle response-end-of-body”. And no longer fire events named progress in “request error steps”. Fixes #72. (This commit also removes the same-origin data-URL flag that is about to be removed in Fetch per whatwg/fetch#381. That change has no impact on implementations.)
By-and-large browsers treat data URLs as same-origin, though there are some inconsistencies. This change will treat all data URLs, regardless of origin, as same-origin from the perspective of Fetch. HTML already assigns a unique opague origin to documents created from a data URL and the plan of record is to do so for dedicated workers too. HTML will likely also forbid shared workers to be created from data URLs. See whatwg/html#1782 for the proposed changes to HTML. (This has not landed yet, if that PR is tweaked further the note added here might need some tweaks.) Service workers already prevent anything but HTTP(S) URLs from creating them. Fixes #381.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1243, closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1243, closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes #1778, and closes #1779 as these are all treated as same-origin now per the change to Fetch.
The change to Fetch discussed in whatwg/fetch#381 made it obsolete. Closes whatwg#1778, and closes whatwg#1779 as these are all treated as same-origin now per the change to Fetch.
AFAIK, this flag is only used by XHR and fetch.
It does not seem to be used by the HTML specification at all.
Is it on purpose or just a lack of synchronization?
Doing a quick test, crossorigin-attribute-enabled scripts seem to load fine with data URLs in Chrome and Firefox.
The text was updated successfully, but these errors were encountered: