Clarify how data: URLs should be handled for imports (bugzilla: 25924) #207
Labels
Comments
TakayoshiKochi
changed the title
|
Let me close this issue as we do not spend time on HTML Imports moving forward. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title: [Imports]: The spec. is not very specific about the edge cases of the load (bugzilla: 25924)
Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924
comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c0
Gabor Krizsanits wrote on 2014-05-30 10:45:09 +0000.
It can be that I'm overlooking something, but I don't see answers for these questions in the spec:
comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c1
Anne wrote on 2014-05-30 10:52:05 +0000.
1 and 2 should be clear from using Fetch.
comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c2
Gabor Krizsanits wrote on 2014-05-30 14:05:17 +0000.
After talking to Anne, I think I got all my questions answered... so I'm closing this for now.
comment: 3
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c3
Brendan Eich wrote on 2014-05-31 01:14:54 +0000.
It would help bug-followers to see the resolution in detail. IOW, for each hyphen-bulleted point in comment 0, a resolution item. Thanks,
/be
comment: 4
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c4
Anne wrote on 2014-05-31 07:02:20 +0000.
We should probably actually clarify data URLs. I suspect they should not be allowed here as they would be able to execute scripts. I need to add the flag proposed by Jonas in http://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0696.html and HTML imports should probably not set it.
Is the text/html requirement stated?
Brendan, as for the rest:
comment: 5
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c5
Gabor Krizsanits wrote on 2014-05-31 14:54:45 +0000.
(In reply to Anne from comment #4)
Why is script execution a concern exactly? I also don't quite get the example from Jonas, since data urls should only work if the redirect count is 0, no?
It is not actually, the spec only states that the default type is text/html. I really think it should be.
One more thing that came up is if import documents fire their own load event or not.
Also the spec mentions a simple load event fired against the referring links, but I'm not absolutely sure if that is a DOMContentLoaded or a Document load kind of event, in terms of when to fire. Should we wait for images for example in the import before we fire it?
(In reply to Brendan Eich from comment #3)
I think I closed this bug prematurely, also, this request is perfectly valid, sorry about that. And thanks Anne for doing the work for me :)
comment: 6
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c6
Anne wrote on 2014-06-02 09:34:53 +0000.
(In reply to Gabor Krizsanits from comment #5)
We want to restrict data URLs more. Them simply inheriting the origin of the fetching context can be somewhat dangerous. Not a 100% sure whether this applies to HTML imports, as they can effectively do the same as <script> which is also unprotected. Seems like http://lists.w3.org/Archives/Public/public-webapps/2014AprJun/0729.html is the larger issue here.
comment: 7
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25924#c7
Simon Pieters wrote on 2014-06-02 10:21:06 +0000.
(In reply to Anne from comment #4)
Is that right?![]()
ignores it but doesn't. I don't know about other features.
The text was updated successfully, but these errors were encountered: