Closed Bug 313070 Opened 19 years ago Closed 18 years ago

Treat about:blank like a data: URL

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 332182

People

(Reporter: jruderman, Unassigned)

Details

Split from bug 312124 comment 11 (and several surrounding comments).

about:blank pages currently have an "anybody can touch me" policy.  This should
be changed to be more like data: URLs -- inheriting the principal of the script
that loaded it, or if statically src'ed, the principal of the page.

I think the current behavior introduces an XSS hole for any page that uses DOM 2
with about:blank to display information, and makes security-related code in
Gecko more complicated than it needs to be.
OS: Windows XP → All
Hardware: PC → All

*** This bug has been marked as a duplicate of 332182 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.