feat(security): categorize <track src> as a regular URL.

After security review, it turns out we were too paranoid about <track src>. Its content is not actually active or dangerous.

Fixes #10089.
This commit is contained in:
Martin Probst 2016-07-20 10:28:13 -07:00
parent 76b8a49bfb
commit a441b5b8fe
1 changed files with 4 additions and 5 deletions

View File

@ -36,10 +36,10 @@ registerContext(SecurityContext.HTML, [
registerContext(SecurityContext.STYLE, ['*|style']);
// NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
registerContext(SecurityContext.URL, [
'*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href',
'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action',
'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite',
'source|src', 'source|srcset', 'video|poster', 'video|src',
'*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href',
'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action',
'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite',
'source|src', 'source|srcset', 'track|src', 'video|poster', 'video|src',
]);
registerContext(SecurityContext.RESOURCE_URL, [
'applet|code',
@ -55,5 +55,4 @@ registerContext(SecurityContext.RESOURCE_URL, [
'object|codebase',
'object|data',
'script|src',
'track|src',
]);