Affecting Data URLs are now treated as unique origins

Published: | Categories: DOM Privacy & Security


Starting with Firefox 57, data URLs prefixed with the data: scheme will be treated as unique origins. It means the scripts within data URLs loaded in an <iframe> are no longer able to access the embedding page’s objects. This change is aimed at not only mitigating the risk of cross-site scripting (XSS) attacks but also aligning Firefox with the HTML standard as well as the behaviour of other browsers.

The rich text editor functionality in YUI 2 is known to be broken because it uses data URLs only for Firefox. Given that the library is no longer actively maintained, the users should consider migrating to any promising alternative. So far Mozilla has no plan to solve the issue in the Firefox side.