Anne van Kesteren wrote:
data:text/javascript would act the same as simply loading a JavaScript
file. There's no execution involved there so that's safe. I've allowed
data: URIs now:
http://dev.w3.org/2006/webapi/XMLHttpRequest/
I should point out that this will require special-casing in the security check,
because in general a random data: URI is NOT in fact same-origin with an http:
URI. It's not even same-origin in Opera, last I checked, which means that
they're special-casing it in the check here.... What's special about data: in
particular? How long until someone else comes up with some other protocol they
argue is "safe" and should also be special-cased?
I rather question whether there are actual use cases for this that justify the
complexity in an area of code (security checks) where complexity and the
attendant potential for bugs is to be avoided at all costs.
-Boris
