search

svnlabs / google-caja

Automatically exported from code.google.com/p/google-caja
0 stars 1 forks source link

Consider supporting data: and javascript: uris where possible #1558

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
The client-side URI policy explicitly drops all schemes that are not http, 
https or mailto.  However, both some data: uris are supportable in the ES5/3 
case and all data: and javascript: uris maybe supportable in the ES5 case.  
This bug is to track support for these URIs.

Original issue reported on code.google.com by jas...@gmail.com on 7 Oct 2012 at 6:57

GoogleCodeExporter commented 9 years ago 
The server also drops any schemes that are not http, https, or mailto, in 
UriPolicyNanny.  Seems simple to add the scheme, but I'm sure some validation 
of the data uri is in order as well...maybe not in the scope of this issue 
though.

Original comment by doug...@gmail.com on 9 Oct 2012 at 3:44

GoogleCodeExporter commented 9 years ago 
Data uris would be very helpful for inline images. Would it help the security 
case if they were limited to being used for urls that hint as images? That 
would reduce the chance of dangerous content sniffing, I would think.

Original comment by cgoldfe...@google.com on 22 Jan 2013 at 7:31

GoogleCodeExporter commented 9 years ago 
http://www.ietf.org/rfc/rfc2397.txt on parsing data uris.

Original comment by jas...@gmail.com on 22 Jan 2013 at 7:40

GoogleCodeExporter commented 9 years ago 
I'm trying to find out a way to insert a image in an HTML page through the 
Google Apps Script HTML Service using this type of notation.

    <a href="http://www.britblog.com/"><img src="data:image/gif;base64,R0lGODlhUAAPAKIAAAsLav///88PD9WqsYmApmZmZtZfYmdakyH5BAQUAP8ALAAAAABQAA8AAAPb
    WLrc/jDKSVe4OOvNu/9gqARDSRBHegyGMahqO4R0bQcjIQ8E4BMCQc930JluyGRmdAAcdiigMLVr
    ApTYWy5FKM1IQe+Mp+L4rphz+qIOBAUYeCY4p2tGrJZeH9y79mZsawFoaIRxF3JyiYxuHiMGb5KT
    kpFvZj4ZbYeCiXaOiKBwnxh4fnt9e3ktgZyHhrChinONs3cFAShFF2JhvCZlG5uchYNun5eedRxM
    AF15XEFRXgZWWdciuM8GCmdSQ84lLQfY5R14wDB5Lyon4ubwS7jx9NcV9/j5+g4JADs=
    " alt="British Blog Directory" width="80" height="15" /></a>

Using a simple HTML file in the apps script editor, the data image part in it, 
isn't considered.

The same happens with a downlodable attachment I want to show with Html Service:

    <img src='" + get_icon_src(filename) + "'></img><a href='data:application/octet-stream;base64," + b64body + "' download='" + filename + "'>" + filename + "</a>

Original comment by francesc...@injenia.it on 1 Sep 2013 at 12:12

GoogleCodeExporter commented 9 years ago

Original comment by kpreid@google.com on 11 Nov 2013 at 7:26

GoogleCodeExporter commented 9 years ago 
The javascript: URIs may have security concerns, but it seems relatively 
straightforward to use data: URIs, particularly for images.

I am trying to make a Google Apps Script add-on that has images requiring 
authentication. Inline images would make this work.

Original comment by p...@lucidchart.com on 17 Dec 2013 at 6:23