> -----Original Message----- > From: Ian Hickson [mailto:ian@hixie.ch] > Sent: Monday, August 11, 2008 8:23 PM > To: Boris Zbarsky > Cc: Justin James; 'Toby A Inkster'; public-html@w3.org > Subject: Re: <script src=javascript:"..."> should do nothing > > On Mon, 11 Aug 2008, Boris Zbarsky wrote: > > > > Justin James wrote: > > > If other @src's allow javascript:, why *wouldn't* we allow it in > <script>? > > > > The spec currently does. > > Actually right now the spec specifically says that javascript: in > <script > src=""> does nothing, for compatiblity with existing UAs. (I doubt that > the three biggest UAs would all ignore javascript: in this one specific > case if there wasn't content relying on that, so it seems unwise to not > also require this in the spec.) What content could possibly count on the *lack* of support for something like this? I am just not able to conceive of a situation where someone says: <script src="javascript:alert('The surprise is on you, I don't work!');" /> And then requires the browser to ignore it. I suspect that the reasoning is one of the following (but can't confirm without input from representatives of the browsers, of course): * It never occurred to anyone to support javascript: URLs in the @src, since using the <script> element anyways lets you put JavaScript in as content. * There is a perceived (real or imagined) security risk here. * The HTML 4 spec may not have explicitly said to support this, so no one did. Just some thoughts. But most importantly, I cannot envision any scenario where a developer would bank on a browser not interpreting a javascript: URL in the @src of <script>. J.JaReceived on Tuesday, 12 August 2008 04:19:42 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:19 GMT