Closed Bug 1016888 Opened 10 years ago Closed 7 years ago

HTML Imports should not import data URLs

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
31 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: freddy, Assigned: gkrizsanits)

References

Details

Attachments

(1 file)

test-data-uri.html
127 bytes, text/html
Details
Attached file test-data-uri.html
Chrome does not allow this: > Imported resource from origin 'null' has been blocked from loading by Cross-Origin Resource Sharing policy: Received an invalid response. Origin 'http://localhost' is therefore not allowed access. Test case attached, the included script sets `dataURI_Script` to true.
This bug may be invalid (that is, Chrome could be wrong). The import spec references "CORS enabled Fetch", and the Fetch spec special-cases about:, blob:, and data: as effectively same-origin before doing the load and expecting CORS headers: http://fetch.spec.whatwg.org/#concept-fetch "importing" a data: URL is a bit silly (if you know the content, just put it inline without the base64 overhead), but blob: might make sense if you had some locally-cached template. I'd be happier if the import spec (http://www.w3.org/TR/html-imports/) restricted imports to scheme-relative locations (with a special case of allowing https imports from http documents) but I'm not sure I can justify that on rational grounds, it's probably just reflexive paranoia. I don't think this needs to be hidden, does it? If some output filter is not sanitizing <link>s they're probably already in trouble.
importing data: url can be useful for testing.
url's and blob's are allowed according to the Fetch algorithm which imports are relied of. So if chrome does not implement them that's just a bug imo. I have not implemented this part either... btw I don't think this bug should be hidden. Imports are partially implemented and hidden behind a pref flag, it's expected to be buggy at this early stage. If that's a security concern than it should be just backed out instead. (which I hope will not happen...)
Group: core-security
Depends on: 1018872
Seems like this bug could be closed now, given that HTML Imports seem to be dead at this point
Indeed.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: