Security violations in Acid3 test I expect that these are calls to object.contentDocument. I'm not certain. I'm also not sure if this behavior is correct or not. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
I don't think this is usage of data: URLs is appropriate for the Acid3 test as there is no specification that I know of (in the time frame allowed for Acid3 or after) that defines the behavior of access to data: URLs from JS. Following a strict understanding of the same-origin policy, the behavior should not be allowed as the protocols (or scheme if that is how you roll) differ. Hixie, if you agree, the issue can be mitigated by using a file on the same domain.
Duplicate of bug 11885?
You guys might be interested in https://bugzilla.mozilla.org/show_bug.cgi?id=255107, a Mozilla bug report titled "Prevent data: URLs from being used for XSS".
Acid3 has changed the test. So I think we can close this and leave bug 11885 to handle any desired changes to data: url handling.