W3C home > Mailing lists > Public > public-iri@w3.org > October 2010

Re: [Uri-review] Updated 'javascript' scheme draft

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 05 Oct 2010 07:00:23 +0200
To: Adam Barth <ietf@adambarth.com>
Cc: IRI WG mailing list <public-iri@w3.org>
Message-ID: <robla6tugne1ec9dkikgkahojscori9r08@hive.bjoern.hoehrmann.de>
* Adam Barth wrote:
>   The in-context evaluation operation necessitates extreme caution in
>   deciding where resource identifiers using this scheme are recognized
>   and permitted and what facilities are made available to script code,
>   like access to private information and operations with side effects.
>I probably would have said something a bit stronger than that.
>JavaScript URLs are a security disaster.  I wouldn't recommend their
>use by anyone with a choice in the matter.  :)

Like I noted when I announced the revised draft, there has been some
criticism in that direction, but nobody submitted text and I could not
come up with text that I didn't feel was misleading (most problems
with this scheme are shared by other schemes in one form or another,
so singling this scheme out may be a bad idea). If there was consensus
that the scheme should be deprecated, I'd gladly do that, but that's
not where we are.

It would be great if there was, say, a peer-reviewed paper that dis-
cusses the poor security record with this scheme in some detail, which
I would gladly reference in the specification, but I have not yet come
across anything like that yet.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 5 October 2010 06:01:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:39:41 UTC