Re: requesting feedback regarding HTML5 and RFC 3987 from Adam Barth on 2011-06-20 (public-iri@w3.org from June 2011)

From: Adam Barth <ietf@adambarth.com>
Date: Sun, 19 Jun 2011 20:18:38 -0700
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-iri@w3.org
Message-ID: <BANLkTin6mP7_h1m8GmbqwkL5qCun2t3F-A@mail.gmail.com>

On Sun, Jun 19, 2011 at 8:10 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 6/19/11 5:47 PM, Adam Barth wrote:
>>
>> Does that mean if a new document arises from evaluating the JavaScript
>> URL that you'll scroll the page to the indicated fragment?
>
> Yes, but Firefox 4 and earlier does that too, because the "scroll to
> fragment" code doesn't actually use the results of parsing the URI (long
> story that I'm happy to fill people in on if desired) and instead serializes
> it to a string and then just grabs everything after the first '#'.
>
> Testcase:
>
> <iframe src="javascript:'<html><div style=&quot;height:
> 1000px&quot;></div><div
> id=&quot;test\'&quot;>test</div></html>#test'"></iframe>
>
>> In the resulting document, will location.hash contain the part after the #
>> ?
>
> Yes (this will be a behavior change from Firefox 4).  Testcase:
>
> <iframe
> src="javascript:'<html><script>alert(location.hash);</script></html>#test'"></iframe>
>
>> What will assigning to location.hash do (e.g., re-evaluating the
>> JavaScript URL or just scroll the page)?
>
> Just scroll the page.  This will be a behavior change from Firefox 4, where
> I believe the set was ignored entirely.  Testcase:
>
> <iframe src="javascript:alert('running'); '<html><div style=&quot;height:
> 1000px&quot;></div><div
> id=&quot;test&quot;>test</div><script>location.hash=&quot;test&quot;</script></html>'"></iframe>
>
> Note that those first two behaviors are arguably a violation of the current
> HTML5 drafts, because the URI of a javascript:-generated document is not
> supposed to be a javascript: URI per those drafts.  So you're right that the
> change Gecko is making is black-box detectable using location.hash for the
> moment, but once we implenent the HTML5 spec on this (assuming it doesn't
> change) it may not be....

That's very interesting.  The situation in WebKit is substantially
different.  Essentially, JavaScript URLs aren't really treated as URLs
at all.  Navigation to JavaScript URLs are intercepted at a relatively
high level, and the script is extracted and executed.  The URL of the
resulting document is just unchanged from the original document.

Adam

Received on Monday, 20 June 2011 03:19:36 UTC