Treat data URLs as same-origin

annevk · web-flow · commit 6f223de29733 · 2016-09-15T19:50:19.000+02:00
By-and-large browsers treat data URLs as same-origin, though there are some inconsistencies. This change will treat all data URLs, regardless of origin, as same-origin from the perspective of Fetch. HTML already assigns a unique opague origin to documents created from a data URL and the plan of record is to do so for dedicated workers too. HTML will likely also forbid shared workers to be created from data URLs. See whatwg/html#1782 for the proposed changes to HTML. (This has not landed yet, if that PR is tweaked further the note added here might need some tweaks.) Service workers already prevent anything but HTTP(S) URLs from creating them. Fixes #381.
diff --git a/Overview.html b/Overview.html
@@ -7,7 +7,7 @@
 
 <p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
 <h1 id="cors">Fetch</h1>
-<h2 class="no-num no-toc" id="living-standard-—-last-updated-14-september-2016">Living Standard — Last Updated 14 September 2016</h2>
+<h2 class="no-num no-toc" id="living-standard-—-last-updated-15-september-2016">Living Standard — Last Updated 15 September 2016</h2>
 
 <dl>
  <dt>Participate:
@@ -951,10 +951,6 @@ <h4 id="requests"><span class="secno">3.1.5 </span>Requests</h4>
 <dfn data-dfn-for="request" data-export="" id="omit-origin-header-flag">omit-<code>Origin</code>-header flag</dfn>. Unless stated
 otherwise it is unset.
 
-<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
-<dfn data-dfn-for="request" data-export="" id="same-origin-data-url-flag">same-origin data-URL flag</dfn>. Unless stated otherwise it is
-unset.
-
 <p>A <a href="#concept-request" title="concept-request">request</a> has an associated
 <dfn data-dfn-for="request" data-export="" id="concept-request-referrer" title="concept-request-referrer">referrer</dfn>, which is
 "<code>no-referrer</code>", "<code>client</code>", or a
@@ -2484,9 +2480,7 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
    <a href="#concept-request-origin" title="concept-request-origin">origin</a> and <i>CORS flag</i> is unset
    <dt><var>request</var>'s
    <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
-   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is
-   "<code title="">data</code>" and <var>request</var>'s
-   <a href="#same-origin-data-url-flag">same-origin data-URL flag</a> is set
+   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is "<code>data</code>"
    <dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
    "<code title="">navigate</code>" or "<code title="">websocket</code>"
 
@@ -2499,6 +2493,16 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
      using <var>request</var>.
     </ol>
 
+    <p class="note no-backref">HTML assigns any documents and dedicated workers created from
+    <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> whose
+    <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is "<code>data</code>" a
+    unique <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque">opaque origin</a>, and prevents creation of shared workers
+    from such <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a>. Service workers can only be
+    created from <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> whose
+    <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is an
+    <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</a>.
+    <a href="#refsHTML">[HTML]</a> <a href="#refsSW">[SW]</a>
+
    <dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
    "<code title="">same-origin</code>"
 
@@ -3059,8 +3063,6 @@ <h3 id="http-redirect-fetch"><span class="secno">5.4 </span>HTTP-redirect fetch<
  <li><p>Increase <var>request</var>'s
  <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> by one.
 
- <li><p>Unset <var title="">request</var>'s <a href="#same-origin-data-url-flag">same-origin data-URL flag</a>.
-
  <li><p>If <var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is "<code>cors</code>",
  <var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> is <em>not</em>
  <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> with <var>actualResponse</var>'s
@@ -4683,7 +4685,6 @@ <h3 id="request-class"><span class="secno">6.3 </span>Request class</h3>
  <a href="#concept-request-origin" title="concept-request-origin">origin</a> is "<code>client</code>",
  <a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a> is <var>request</var>'s
  <a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a>,
- <a href="#same-origin-data-url-flag">same-origin data-URL flag</a> is set,
  <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is <var>request</var>'s
  <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>,
  <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> is
diff --git a/Overview.src.html b/Overview.src.html
@@ -881,10 +881,6 @@ <h4>Requests</h4>
 <dfn data-export data-dfn-for=request>omit-<code>Origin</code>-header flag</dfn>. Unless stated
 otherwise it is unset.
 
-<p>A <span title=concept-request>request</span> has an associated
-<dfn data-export data-dfn-for=request>same-origin data-URL flag</dfn>. Unless stated otherwise it is
-unset.
-
 <p>A <span title=concept-request>request</span> has an associated
 <dfn title=concept-request-referrer data-export data-dfn-for=request>referrer</dfn>, which is
 "<code>no-referrer</code>", "<code>client</code>", or a
@@ -2414,9 +2410,7 @@ <h3>Main fetch</h3>
    <span title=concept-request-origin>origin</span> and <i>CORS flag</i> is unset
    <dt><var>request</var>'s
    <span title=concept-request-current-url>current url</span>'s
-   <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is
-   "<code title>data</code>" and <var>request</var>'s
-   <span>same-origin data-URL flag</span> is set
+   <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is "<code>data</code>"
    <dt><var>request</var>'s <span title=concept-request-mode>mode</span> is
    "<code title>navigate</code>" or "<code title>websocket</code>"
 
@@ -2429,6 +2423,16 @@ <h3>Main fetch</h3>
      using <var>request</var>.
     </ol>
 
+    <p class="note no-backref">HTML assigns any documents and dedicated workers created from
+    <span data-anolis-spec=url title=concept-url>URLs</span> whose
+    <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is "<code>data</code>" a
+    unique <span data-anolis-spec=html>opaque origin</span>, and prevents creation of shared workers
+    from such <span data-anolis-spec=url title=concept-url>URLs</span>. Service workers can only be
+    created from <span data-anolis-spec=url title=concept-url>URLs</span> whose
+    <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is an
+    <span data-anolis-spec=url>HTTP(S) scheme</span>.
+    <span data-anolis-ref>HTML</span> <span data-anolis-ref>SW</span>
+
    <dt><var>request</var>'s <span title=concept-request-mode>mode</span> is
    "<code title>same-origin</code>"
 
@@ -2989,8 +2993,6 @@ <h3>HTTP-redirect fetch</h3>
  <li><p>Increase <var>request</var>'s
  <span title=concept-request-redirect-count>redirect count</span> by one.
 
- <li><p>Unset <var title>request</var>'s <span>same-origin data-URL flag</span>.
-
  <li><p>If <var>request</var>'s <span title=concept-request-mode>mode</span> is "<code>cors</code>",
  <var>request</var>'s <span title=concept-request-origin>origin</span> is <em>not</em>
  <span data-anolis-spec=html>same origin</span> with <var>actualResponse</var>'s
@@ -4613,7 +4615,6 @@ <h3>Request class</h3>
  <span title=concept-request-origin>origin</span> is "<code>client</code>",
  <span>omit-<code>Origin</code>-header flag</span> is <var>request</var>'s
  <span>omit-<code>Origin</code>-header flag</span>,
- <span>same-origin data-URL flag</span> is set,
  <span title=concept-request-referrer>referrer</span> is <var>request</var>'s
  <span title=concept-request-referrer>referrer</span>,
  <span title=concept-request-referrer-policy>referrer policy</span> is
