W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: <script src=javascript:"..."> should do nothing

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 12 Aug 2008 00:22:50 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: Justin James <j_james@mindspring.com>, 'Toby A Inkster' <tai@g5n.co.uk>, public-html@w3.org
Message-ID: <Pine.LNX.4.62.0808120021200.5136@hixie.dreamhostps.com>

On Mon, 11 Aug 2008, Boris Zbarsky wrote:
> Justin James wrote:
> > If other @src's allow javascript:, why *wouldn't* we allow it in <script>?
> The spec currently does.

Actually right now the spec specifically says that javascript: in <script 
src=""> does nothing, for compatiblity with existing UAs. (I doubt that 
the three biggest UAs would all ignore javascript: in this one specific 
case if there wasn't content relying on that, so it seems unwise to not 
also require this in the spec.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 12 August 2008 00:23:34 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:37 UTC