On 10/08/15 00:13, Joachim Priesner wrote:
Am Mittwoch, 07. Oktober 2015 schrieb Michael Stefaniuc:
part of the review system is already in place: Check the MAINTAINERS file if the DLL in question has a maintainer. If yes than it is his responsibility to review the patch.
That is great news (which I somehow missed), thanks.
Alex' question touched an interesting point. https://msdn.microsoft.com/en-us/library/jj710206%28v=vs.85%29.aspx states that "Data URIs cannot be used for navigation, for scripting, or to populate frame or iframe elements."
So pasting data URIs in the address bar should actually not work at all (which I confirmed with IE11), on the other hand things like <iframe src="data:,A%20brief%20note"></iframe> also should not work, which they currently do with this patch because Gecko allows it.
Should I try to update this patch to exclude frame/iframe elements, or is this not considered a problem because we can assume Gecko handles such things in a secure manner?
I don't think there is security concern here, so unless we find a real problem, it's fine as it is.
Cheers, Jacek