Re: [whatwg] Fetch: cross-origin redirect to a data URL

2013-02-25 Thread Boris Zbarsky
On 2/25/13 3:00 PM, Adam Barth wrote: Yes, that's to defend against a different sort of attack. In some browsers, like Firefox, data URLs inherit the security context of their authors. This is not the case for data: URLs that are the target of a redirect, for what it's worth. At least in Fir

Re: [whatwg] Fetch: cross-origin redirect to a data URL

2013-02-25 Thread Adam Barth
On Mon, Feb 25, 2013 at 1:49 AM, Anne van Kesteren wrote: > On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth wrote: >> I don't think there is a security problem with that. It's just a >> question of how much it complicates the model. > > Well currently for http://software.hixie.ch/utilities/cgi/data/

Re: [whatwg] Cross-origin iframe and @sandbox=allow-same-origin

2013-02-25 Thread David Bruant
Le 25/02/2013 19:10, Ian Hickson a écrit : On Mon, 25 Feb 2013, David Bruant wrote: As a more general question: does iframe@sandbox="allow-same-origin" make a page and a cross-origin iframe further connected than they are currently without the keyword? The only difference is that without the ke

Re: [whatwg] Cross-origin iframe and @sandbox=allow-same-origin

2013-02-25 Thread Ian Hickson
On Mon, 25 Feb 2013, David Bruant wrote: > > The current description of the allow-same-origin sandbox token in the > spec is: " The allow-same-origin keyword allows the content to be > treated as being from the same origin instead of forcing it into a > unique origin;" > > This is a very scary

Re: [whatwg] Cross-origin iframe and @sandbox=allow-same-origin

2013-02-25 Thread Janusz Majnert
Hi, >From what I understand, it goes like this: Using the sandboxing flag on an iframe causes several fine-grained flags to be set (point 3 of the algorithm). One of the flags - "sandboxed origin browsing context flag"[1] forces the document into unique origin and blocks access to document.cookie a

Re: [whatwg] Fetch: cross-origin redirect to a data URL

2013-02-25 Thread Anne van Kesteren
On Mon, Feb 25, 2013 at 4:30 AM, Adam Barth wrote: > I don't think there is a security problem with that. It's just a > question of how much it complicates the model. Well currently for http://software.hixie.ch/utilities/cgi/data/data Chrome generates a network error if you hit "Generate" with t

[whatwg] Cross-origin iframe and @sandbox=allow-same-origin

2013-02-25 Thread David Bruant
Hi, The current description of the allow-same-origin sandbox token in the spec is: " The allow-same-origin keyword allows the content to be treated as being from the same origin instead of forcing it into a unique origin;" This is a very scary wording. Understood naively, I understand I could