Data URL iframes are considered secure contexts only if sandboxed #83
Comments
|
https://html.spec.whatwg.org/#secure-contexts supersedes the definition here. @domenic @sideshowbarker what do you think about updating this specification? I'm happy to review patches, or submit a patch for review. I think Mike and I can land patches so even if this is effectively unowned we could still add some clarity. |
|
That'd be great. I was willing to do that a while ago, but the fact that there's so many open PRs (including e.g. basic ones like #76) discouraged me. For division of work, I'd be happy to work on updating the pointers to HTML and removing the now-redundant algorithms, but would rather someone else tackle any of the non-normative bits. |
|
Oh, I see. Thanks for the pointer to the current spec in HTML, I was unaware of it... |
I think updating it would be a great thing — and we have a clear way open to make it happen, so yeah, let’s move forward with it |
See #83. (Also remove a line from .travis.yml that does not appear to be needed and caused the build to fail.)
Hi there!
I stumbled across this initially when looking at the web platform tests for secure contexts and inheritance. The secure-contexts/basic-popup-and-iframe-tests.https.html test exhibits two failures.
The test asserts that
data:iframes inherit their parent'sisSecureContextbit, whether they are sandboxed or not.The results show otherwise:
data:URL only inherit their parent'sisSecureContextbit in Safaridata:URL are never secureIndeed, it seems only Safari correctly implements the spec here. According to the spec (simplifying for clarity in this case):
data:URLs are considered potentially-trustworthydata:URLs have opaque origins, which are not considered potentially-trustworthyIt seems strange that sandboxed iframes would be considered more secure than their non-sandboxed siblings. I think this strange state of affairs resulted from changes made for #26 and #69.
The text was updated successfully, but these errors were encountered: