Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat data URLs as same-origin, except for workers #387

Merged
merged 3 commits into from
Sep 15, 2016
Merged

Treat data URLs as same-origin, except for workers #387

merged 3 commits into from
Sep 15, 2016

Commits on Sep 14, 2016

  1. Treat data URLs as same-origin, except for workers 

    HTML gives data URLs a unique origin when navigating to them to prevent
a class of XSS attacks.

Since browsers already largely allow data URLs in all other contexts
this commit aligns with that, opting them into being same-origin
elsewhere.

Workers however are still prevented. It would create problems for
shared workers and potentially also for dedicated workers.

Fixes #381.
    @annevk
    annevk committed Sep 14, 2016
    Configuration menu
    Copy the full SHA
    cb9e133 View commit details
    Browse the repository at this point in the history

Commits on Sep 15, 2016

  1. let HTML handle the special casing

    @annevk
    annevk committed Sep 15, 2016
    Configuration menu
    Copy the full SHA
    a369a36 View commit details
    Browse the repository at this point in the history

  2. nits

    @annevk
    annevk committed Sep 15, 2016
    Configuration menu
    Copy the full SHA
    2795c2f View commit details
    Browse the repository at this point in the history