Closed
Bug 1016888
Opened 10 years ago
Closed 7 years ago
HTML Imports should not import data URLs
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: freddy, Assigned: gkrizsanits)
References
Details
Attachments
(1 file)
127 bytes,
text/html
|
Details |
Chrome does not allow this:
> Imported resource from origin 'null' has been blocked from loading by Cross-Origin Resource Sharing policy: Received an invalid response. Origin 'http://localhost' is therefore not allowed access.
Test case attached, the included script sets `dataURI_Script` to true.
Comment 1•10 years ago
|
||
This bug may be invalid (that is, Chrome could be wrong). The import spec references "CORS enabled Fetch", and the Fetch spec special-cases about:, blob:, and data: as effectively same-origin before doing the load and expecting CORS headers: http://fetch.spec.whatwg.org/#concept-fetch
"importing" a data: URL is a bit silly (if you know the content, just put it inline without the base64 overhead), but blob: might make sense if you had some locally-cached template. I'd be happier if the import spec (http://www.w3.org/TR/html-imports/) restricted imports to scheme-relative locations (with a special case of allowing https imports from http documents) but I'm not sure I can justify that on rational grounds, it's probably just reflexive paranoia.
I don't think this needs to be hidden, does it? If some output filter is not sanitizing <link>s they're probably already in trouble.
importing data: url can be useful for testing.
Assignee | ||
Comment 3•10 years ago
|
||
url's and blob's are allowed according to the Fetch algorithm which imports are relied of. So if chrome does not implement them that's just a bug imo. I have not implemented this part either... btw I don't think this bug should be hidden. Imports are partially implemented and hidden behind a pref flag, it's expected to be buggy at this early stage. If that's a security concern than it should be just backed out instead. (which I hope will not happen...)
Updated•10 years ago
|
Group: core-security
Comment 4•9 years ago
|
||
Seems like this bug could be closed now, given that HTML Imports seem to be dead at this point
Comment 5•7 years ago
|
||
Indeed.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•