Skip to content

audio/video loads should set the "same-origin data-URL" flag #1779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bzbarsky opened this issue Sep 13, 2016 · 4 comments · Fixed by #1782
Closed

audio/video loads should set the "same-origin data-URL" flag #1779

bzbarsky opened this issue Sep 13, 2016 · 4 comments · Fixed by #1782
Assignees
@annevk
Labels
topic: fetch topic: media

Comments

@bzbarsky
Copy link
Contributor

For the same reason that images set it: so you can then work with the resulting thing.
@domenic
Copy link
Member

domenic commented Sep 13, 2016
edited
Loading

This (and #1778 and #1243) is largely the same discussion as whatwg/fetch#381, I think. We really should figure out the story there sooner rather than later.

@bzbarsky
Copy link
Contributor Author

From my point of view the basic story is that some of the Chrome developers hate data: URLs and want to kill them off on the web. With that goal in mind, they are trying to make them as useless as they possibly can within web compat constraints, and possibly a bit over that line. Some of that that hatred is motivated by what they perceive as security issues (and I will grant those); some is just motivated by Chrome's implementation details.

An alternate approach to data: URLs, and one that I think is more developer-friendly, is to make them as useful as we possibly can, while keeping in mind potential security/XSS issues. I don't see any XSS issues with audio/video, just like I don't see any with images.

@mikewest mikewest mentioned this issue Sep 13, 2016
Closed
@foolip
Copy link
Member

foolip commented Sep 14, 2016

Does this amount to whether loading a data: URL in a media element then allows you to access any in-band text tracks and painting video frames to a canvas? I take it that right now some implementations (Chrome?) treat it as cross-origin and some (Gecko?) as same-origin?

@annevk
Copy link
Member

annevk commented Sep 14, 2016

Yeah, basically that. This might not require changes here if we go with the solution put forward here: whatwg/fetch#381 (comment).

@annevk annevk assigned annevk and unassigned mikewest Sep 14, 2016
annevk added a commit that referenced this issue Sep 14, 2016
@annevk
Remove Fetch's same-origin data URL flag
513d54a 
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.

Closes #1243, closes #1778, and closes #1779 as these are all treated
as same-origin now per the change to Fetch.
@annevk annevk mentioned this issue Sep 14, 2016
Merged
annevk added a commit that referenced this issue Sep 30, 2016
@annevk
Remove Fetch's same-origin data URL flag
e548c55 
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.

Closes #1243, closes #1778, and closes #1779 as these are all treated
as same-origin now per the change to Fetch.
annevk added a commit that referenced this issue Oct 7, 2016
@annevk
Remove Fetch's same-origin data URL flag
5e7028e 
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.

Closes #1243, closes #1778, and closes #1779 as these are all treated
as same-origin now per the change to Fetch.
annevk added a commit that referenced this issue Oct 10, 2016
@annevk
Remove Fetch's same-origin data URL flag
a61e36d 
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.

Closes #1778, and closes #1779 as these are all treated as
same-origin now per the change to Fetch.
domenic pushed a commit that referenced this issue Oct 10, 2016
@annevk @domenic
Remove Fetch's same-origin data URL flag
7204ca9 
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.

Closes #1778, and closes #1779 as these are all treated as
same-origin now per the change to Fetch.
alice pushed a commit to alice/html that referenced this issue Jan 8, 2019
@annevk
Remove Fetch's same-origin data URL flag
54db959 
The change to Fetch discussed in
whatwg/fetch#381 made it obsolete.

Closes whatwg#1778, and closes whatwg#1779 as these are all treated as
same-origin now per the change to Fetch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@annevk annevk

Labels
topic: fetch topic: media
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adapt to Fetch's data URL changes whatwg/html
5 participants
@mikewest @foolip @domenic @bzbarsky @annevk