Open
Bug 1209102
Opened 9 years ago
Updated 2 years ago
fetch() should not allow redirects to data URIs
Categories
(Core :: DOM: Core & HTML, defect, P5)
Core
DOM: Core & HTML
Tracking
()
NEW
People
(Reporter: bkelly, Unassigned)
References
(Blocks 1 open bug)
Details
See:
https://github.com/whatwg/fetch/issues/111
This probably effects other code as well since more things are using the fetch spec now. See bug 1018872.
Comment 1•9 years ago
|
||
Wait, why do we want to disallow the redirect instead of just making it a opaque response? There doesn't seem to be any actual reasoning to this effect in the github issue.
It seems to me like we should have as few special-cases in the platform as possible. Just because Blink happens to special-case all sorts of URI schemes everywhere and hence is inconsistent in terms of which schemes it supports in which context doesn't mean that we should spec that behavior or force everyone else to implement such spaghetti special-casing.
Flags: needinfo?(annevk)
Comment 2•9 years ago
|
||
Does Blink really have that many special cases? I guess we could revert back to making it opaque. I figured that since we were planning on aligning with Blink with regards to data URLs we could align on this front as well, but perhaps that wasn't as a principled decision as it should have been.
Flags: needinfo?(annevk)
Comment 3•9 years ago
|
||
> Does Blink really have that many special cases?
As far as I can tell, it does, though they've been whack-a-moling them a bit. They support various things from blob: URIs but not data: URIs, and it's totally inconsistent which things those are, and they keep changing it.
> I figured that since we were planning on aligning with Blink with regards to data URLs
With regard to their handling in iframes, no? Not their entire insanity where they have to manually change every callsite that might be fetching a URI to specially handle data: and therefore handle it or not handle it in completely random ways!
Reporter | ||
Comment 4•9 years ago
|
||
This might have never been spec'd, but we should double check.
Blocks: ServiceWorkers-compat
Comment 5•9 years ago
|
||
Note that I'm still not convinced this makes data URLs magic since either way the redirect logic in the specification will have to handle them explicitly (and that's only a single location, not every callsite), but as I mentioned I'm happy to change this back. Hopefully we can convince Chrome to do the same.
Reporter | ||
Updated•8 years ago
|
No longer blocks: ServiceWorkers-postv1
Updated•6 years ago
|
Priority: -- → P5
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•