Open ndrezn opened 3 months ago
For example, Mozilla has a broader definition of allowed data:
URIs:
Whereas the following cases will be allowed:
- User explicitly entering/pasting “data:…” into the address bar
- Opening all plain text data files
- Opening “data:image/*” in top-level window, unless it’s “data:image/svg+xml”
- Opening “data:application/pdf” and “data:application/json”
- Downloading a data: URL, e.g. ‘save-link-as’ of “data:…”
See: https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/
Hi folks, this package disallows
data:
URIs wholesale, which can be susceptible to the XSS exploit. However, there are cases where it's still a useful standard. Over in https://github.com/plotly/dash, we're using this project to sanitize URIs to protect against XSS, but some users have brought up that blanket prevention ofdata:
can be overly restrictive (https://github.com/plotly/dash/issues/2764).This may not be an issue with this package per se, but the question is whether it is a reasonable approach to blanket disallow
data:
or whether there is a more fine-grained sanitation scheme that might allow certain kinds of validdata:
URLs; maybe this is something maintainers of this package have thought about. Thanks!