Hey Everyone, we plan to change the handling of data: URLs for FF57. Rather than inheriting the origin of the settings object responsible for the navigation, data: URIs will be treated as unique, opaque origins [0]. In other words, data: URLs loaded inside an iframe are not same-origin with their including context anymore. Not only will that behavior mitigate the risk of XSS, it will also make Firefox spec compliant [0] and compliant with the behavior of other browsers which all have been shipping that behavior for a long time.
Over the past weeks we have converted hundreds of tests within our test suite to comply with the new data: URI inheritance model. Please note that we have test coverage for both worlds, the new, as well as the old behavior. By now we have a green TRY run for Linux, but have to do a few follow ups for other platforms since some of the failing tests were disabled on Linux. Anyway, currently this feature lives behind the pref |security.data_uri.unique_opaque_origin| which we plan to flip for FF57 so data: documents become unique, opaque, origins. Even though we have good test coverage we are currently extending web platform tests to make sure behavior is consistent across browsers. We don’t think that adding those additional tests should hold us back from flipping the pref. Ideally we suggest to flip the pref rather sooner than later to eliminate potential issues early in Nightly. Overall progress of the project will be tracked here [1]. Thanks, Christoph, Ethan, Henry, and Yoshi [0] https://html.spec.whatwg.org/multipage/origin.html#origin <https://html.spec.whatwg.org/multipage/origin.html#origin> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406 <https://bugzilla.mozilla.org/show_bug.cgi?id=1324406> _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
