User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: Proof of concept: <a href="data:text/html,<script>alert(document.cookie)</script>">Link</a> Actual results: Cookies from the containing page are available to the script. Expected results: The browser should reject attempts to access private state from within data URIs. For comparison, see that both Chrome and Safari throw security exceptions using the same test case. RFC 6454 defines an origin as the triple of (scheme, host, port). Since the scheme "data:" is not the same as the scheme "http:", it is a violation of same-origin policy to give a script within a data URI access to origin-protected state from an http page.
This is essentially the same as bug 1146922 which was duped to bug 255107, so this is also a duplicate.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 255107
You need to log in before you can comment on or make changes to this bug.