Firefox treats iframes pointing to a data URL as same-origin. This is all well-known, was part of the HTML spec and has been discussed before [1,2]
What has changed now is the HTML spec text[3]: Given that EdgeHTML, Webkit and Blink violated this requirement, the standard now turned around and assigns them a unique opaque origin. I'll gladly accept the fact that we are not the violator, given the security implications [1]. The GitHub related issue[4] included a discussion with some of our DOM folks, but did not come to a conclusion as to what we plan to do here. Is back compat the main concern? I'd be happy to add a telemetry probe and a devtools warning if someone is willing to point me in the right direction. Thanks, Freddy [1] https://bugzilla.mozilla.org/show_bug.cgi?id=255107 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1018872 [3] https://github.com/whatwg/html/commit/00769464e80149368672b894b50881134da4602f [4] https://github.com/whatwg/html/issues/1753 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
