-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reinvestigate redirects to data URLs #393
Comments
I think in Gecko any redirect to a data URL is considered CORS-cross-origin. |
Chrome does seem to consistently fail for redirects to data URLs. E.g., adding <script src=../resources/redirect.py?location=data:,alert(1) onerror=alert('error')></script> to Not sure what we want to align on here. Firefox is the only browser to follow redirects to data URLs consistently by failing several of the tests in |
I also tested with <img src="../resources/redirect.py?location=data:image/png%3Bbase64,iVBORw0KGgoAAAANSUhEUgAAAIUAAABqCAIAAAAdqgU8AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAF6SURBVHhe7dNBDQAADIPA%2Bje92eBxSQUQSLedlQzo0TLQonFWPVoGWjT%2BoUfLQIvGP/RoGWjR%2BIceLQMtGv/Qo2WgReMferQMtGj8Q4%2BWgRaNf%2BjRMtCi8Q89WgZaNP6hR8tAi8Y/9GgZaNH4hx4tAy0a/9CjZaBF4x96tAy0aPxDj5aBFo1/6NEy0KLxDz1aBlo0/qFHy0CLxj/0aBlo0fiHHi0DLRr/0KNloEXjH3q0DLRo/EOPloEWjX/o0TLQovEPPVoGWjT%2BoUfLQIvGP/RoGWjR%2BIceLQMtGv/Qo2WgReMferQMtGj8Q4%2BWgRaNf%2BjRMtCi8Q89WgZaNP6hR8tAi8Y/9GgZaNH4hx4tAy0a/9CjZaBF4x96tAy0aPxDj5aBFo1/6NEy0KLxDz1aBlo0/qFHy0CLxj/0aBlo0fiHHi0DLRr/0KNloEXjH3q0DLRo/EOPloEWjX/o0TLQovEPPVoGWjT%2BoUfLQIvGP/RoGWjR%2BIceJQMPIOzeGc0PIDEAAAAASUVORK5CYII" alt=oops> which gave identical results. |
I reached this thread during a bug triage for the Chrome Loading team. At this moment, we don't focus on this topic, but if there is an update on this thread, please contact us via the following entry. |
I finally created a PR for the demos above at web-platform-tests/wpt#27463. @youennf I'm inclined to uphold the current standard and not allow redirects to |
Bugs: I also closed the Chrome bug. |
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463 UltraBlame original commit: 0801f11d7e9c8a57cffb42cff0e04bc1e1e77a08
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463 UltraBlame original commit: 809a45d0ebe9152c041f7cf8f38d478605ef6c4b
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463 UltraBlame original commit: 0801f11d7e9c8a57cffb42cff0e04bc1e1e77a08
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463 UltraBlame original commit: 809a45d0ebe9152c041f7cf8f38d478605ef6c4b
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463 UltraBlame original commit: 0801f11d7e9c8a57cffb42cff0e04bc1e1e77a08
Automatic update from web-platform-tests Fetch: redirects to data: URLs For whatwg/fetch#393. -- wpt-commits: 0cae3be3b2ba254b0cf40858b8cea6c7156090d7 wpt-pr: 27463 UltraBlame original commit: 809a45d0ebe9152c041f7cf8f38d478605ef6c4b
I managed to flip on this several times in the course of #111, the last time due to investigations in how navigate works in #309. I think my mistake might have been that I did not investigate "no-cors", as redirects to data URLs still work there in (some) implementations and lead to the response being treated as CORS-cross-origin (HTML's term).
Related tests that might need updating:
Thanks to @youennf for finding this.
The text was updated successfully, but these errors were encountered: