mshtml: Treat "data:" as Gecko special URI scheme
jacek at codeweavers.com
Thu Oct 8 05:18:56 CDT 2015
On 10/08/15 00:13, Joachim Priesner wrote:
> Am Mittwoch, 07. Oktober 2015 schrieb Michael Stefaniuc:
>> part of the review system is already in place:
>> Check the MAINTAINERS file if the DLL in question has a maintainer. If
>> yes than it is his responsibility to review the patch.
> That is great news (which I somehow missed), thanks.
> Alex' question touched an interesting point. https://msdn.microsoft.com/en-us/library/jj710206%28v=vs.85%29.aspx states that "Data URIs cannot be used for navigation, for scripting, or to populate frame or iframe elements."
> So pasting data URIs in the address bar should actually not work at all (which I confirmed with IE11), on the other hand things like <iframe src="data:,A%20brief%20note"></iframe> also should not work, which they currently do with this patch because Gecko allows it.
> Should I try to update this patch to exclude frame/iframe elements, or is this not considered a problem because we can assume Gecko handles such things in a secure manner?
I don't think there is security concern here, so unless we find a real
problem, it's fine as it is.
More information about the wine-devel