Summary: | Security violations in Acid3 test | ||
---|---|---|---|
Product: | WebKit | Reporter: | Eric Seidel (no email) <eric> |
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED INVALID | ||
Severity: | Normal | CC: | abarth, collinj, gavin.sharp, ian, jruderman, jwalden+bwo, mjs, sam, webkit |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | Mac | ||
OS: | OS X 10.4 | ||
URL: | http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html |
Description
Eric Seidel (no email)
2008-01-21 23:13:52 PST
I don't think this is usage of data: URLs is appropriate for the Acid3 test as there is no specification that I know of (in the time frame allowed for Acid3 or after) that defines the behavior of access to data: URLs from JS. Following a strict understanding of the same-origin policy, the behavior should not be allowed as the protocols (or scheme if that is how you roll) differ. Hixie, if you agree, the issue can be mitigated by using a file on the same domain. You guys might be interested in https://bugzilla.mozilla.org/show_bug.cgi?id=255107, a Mozilla bug report titled "Prevent data: URLs from being used for XSS". |