23727 – Same-origin redirect to data URLs should still be same-origin?

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23727 - Same-origin redirect to data URLs should still be same-origin?

Summary: Same-origin redirect to data URLs should still be same-origin?

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	Fetch (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	Unsorted
Assignee:	Anne
QA Contact:	sideshowbarker+fetchspec

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-11-05 17:45 UTC by Anne
Modified:	2014-06-05 08:47 UTC (History)
CC List:	1 user (show)

See Also:

Attachments

Description Anne 2013-11-05 17:45:52 UTC

This appears to be the current definition in HTML and we are breaking it. That's no good. Whether anyone implements this is another matter.

Comment 1 Anne 2013-11-05 18:28:18 UTC

http://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0180.html

Attack: Site has an open redirect. Can supply same-origin content that would otherwise have been filtered.

Comment 2 Anne 2013-11-05 18:38:33 UTC

See bug 21506 for another discussion on this topic.

Seems like this should be WONTFIX.

Comment 3 Anne 2014-05-18 17:38:21 UTC

Per http://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0473.html we might want to have a different origin handling for data URLs and such altogether.

Comment 4 Anne 2014-06-05 08:47:20 UTC

https://github.com/whatwg/fetch/commit/5b64685a97a7d6f24814172de68399d0225a4cae