New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 684011 link

Starred by 8 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: 60-Dev , 60-Beta , 60-Stable-Exp , 60-Stable
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----

Blocked on:
issue 594215



Sign in to add a comment

Remove: Top frame navigations to data URLs

Project Member Reported by emilyschechter@chromium.org, Jan 23 2017

Issue description

Change description:
We intend to block web pages from loading data:URLs in the top frame using <A> tags, window.open, window.location and similar mechanisms.

Changes to API surface:
see above

Links:
https://bugs.chromium.org/p/chromium/issues/detail?id=594215
Public standards discussion: 

Support in other browsers:
Internet Explorer: IE and Edge already block navigations to data URLs. 
Firefox:
Safari:

*Make sure to fill in any labels with a -?, including all OSes this change
affects. Feel free to leave other labels at the defaults.

 

Comment 1 by mea...@chromium.org, Jan 23 2017

Blockedon: 594215
Description: Show this description

Comment 3 by mea...@chromium.org, Jan 25 2017

Summary: Remove: Content initiated top frame navigations to data URLs (was: Remove: Content initiated top frame navigations to data, blob and filesystem URLs)
Summary: Remove: Top frame navigations to data URLs (was: Remove: Content initiated top frame navigations to data URLs)
Current status:
* deprecated with console warning in M58.
* removal currently scheduled for M59.
Cc: jakebarrett@google.com

Comment 7 by mea...@chromium.org, Mar 23 2017

> * deprecated with console warning in M58.

Small correction: We merged the console warning to M57.
Labels: -Launch-M-Target-58-Dev -Launch-M-Target-58-Beta -Launch-M-Target-58-Stable-Exp -Launch-M-Target-58-Stable Launch-M-Target-59-Dev Launch-M-Target-59-Beta Launch-M-Target-59-Stable-Exp Launch-M-Target-59-Stable
@meacer any update on the removal? (or CL I can follow?) should we check back in with the I2R?
Labels: -M-58 M-59
CL is at https://codereview.chromium.org/2702503002/. We noted that we need to allow data URL to data URL navigations, so I'm working on that. How about we check back in next week?
yep! (wow big CL)
Labels: -M-59 -Launch-M-Target-59-Dev -Launch-M-Target-59-Beta -Launch-M-Target-59-Stable-Exp -Launch-M-Target-59-Stable M-60 Launch-M-Target-60-Dev Launch-M-Target-60-Beta Launch-M-Target-60-Stable-Exp Launch-M-Target-60-Stable
Status: Fixed (was: Assigned)
Update: change landed for the removal in M60 and will be rolling through channels.
ยังไม่เเน่ใจครับเพิ่งรับมาใช้ ยังไม่เน่ใจขอเวลาเพิ่มเติมก่อนนะครับ
Cc: kavvaru@chromium.org
 Issue 742702  has been merged into this issue.
This did break the Android Hybrid app which get re-directs from Java script ... It took us almost 2 months to figure out the problem as we never expected this change can break our app.
re-directs of the nature window.location were not honored by Web view clients second time onwards (?)..

We had to write a work around ot create temporary i/Frame and attach the re-direct to it and remove iFrame. Any better solution?

Thanks,
Ramdas

Sign in to add a comment