WHATWG
2023-01-25
plaintext logs
prev next
source on github
08:49
<freddy>
I know that we recently (within the last 5 years 👴) started disallowing navigations to data: URLs because of spoofing risks. Has this ever made into the spec? What's the situation for nested contexts here?
09:14
<Domenic>
annevk: ping on https://github.com/whatwg/html/pull/8392
09:15
<Domenic>
I know that we recently (within the last 5 years 👴) started disallowing navigations to data: URLs because of spoofing risks. Has this ever made into the spec? What's the situation for nested contexts here?
Redirects to data: URLs are specced as outlawed in https://html.spec.whatwg.org/#create-navigation-params-by-fetching step 21 . Not sure about straight-up navigations, I think they're still allowed?
09:17
<Domenic>
https://github.com/whatwg/html/pull/5279
09:18
<Domenic>
After https://github.com/whatwg/html/pull/8502 we should have the spec infrastructure to differentiate browser UI URL-bar navigations, vs. page-initiated navigations. So we could finish that.