W3C home > Mailing lists > Public > public-html@w3.org > August 2008

RE: <script src=javascript:"..."> should do nothing

From: Justin James <j_james@mindspring.com>
Date: Tue, 12 Aug 2008 00:18:41 -0400
To: "'Ian Hickson'" <ian@hixie.ch>, "'Boris Zbarsky'" <bzbarsky@MIT.EDU>
Cc: "'Toby A Inkster'" <tai@g5n.co.uk>, <public-html@w3.org>
Message-ID: <001501c8fc32$809ce770$81d6b650$@com>

> -----Original Message-----
> From: Ian Hickson [mailto:ian@hixie.ch]
> Sent: Monday, August 11, 2008 8:23 PM
> To: Boris Zbarsky
> Cc: Justin James; 'Toby A Inkster'; public-html@w3.org
> Subject: Re: <script src=javascript:"..."> should do nothing
> 
> On Mon, 11 Aug 2008, Boris Zbarsky wrote:
> >
> > Justin James wrote:
> > > If other @src's allow javascript:, why *wouldn't* we allow it in
> <script>?
> >
> > The spec currently does.
> 
> Actually right now the spec specifically says that javascript: in
> <script
> src=""> does nothing, for compatiblity with existing UAs. (I doubt that
> the three biggest UAs would all ignore javascript: in this one specific
> case if there wasn't content relying on that, so it seems unwise to not
> also require this in the spec.)

What content could possibly count on the *lack* of support for something
like this? I am just not able to conceive of a situation where someone says:

<script src="javascript:alert('The surprise is on you, I don't work!');" />

And then requires the browser to ignore it.

I suspect that the reasoning is one of the following (but can't confirm
without input from representatives of the browsers, of course):

* It never occurred to anyone to support javascript: URLs in the @src, since
using the <script> element anyways lets you put JavaScript in as content.

* There is a perceived (real or imagined) security risk here.

* The HTML 4 spec may not have explicitly said to support this, so no one
did.

Just some thoughts. But most importantly, I cannot envision any scenario
where a developer would bank on a browser not interpreting a javascript: URL
in the @src of <script>.

J.Ja
Received on Tuesday, 12 August 2008 04:19:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:21 GMT