W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: javascript URIs on stylesheets/redirections

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 26 Jan 2010 01:34:07 +0000 (UTC)
To: sird@rckc.at
Cc: public-web-security@w3.org
Message-ID: <Pine.LNX.4.64.1001260129560.22027@ps20323.dreamhostps.com>
On Mon, 7 Dec 2009, Eduardo Vela wrote:
> 
> It says:
> If a script is a javascript: URL in a style sheet
>     The owner is the URL of the style sheet.
> 
> That means javascript URIs will be allowed?

No, it just defines the origin of the javascript: URL. Whether javascript: 
works in CSS is an issue for the CSS and javascript: URL specifications.


> If a script is a javascript: URL that was returned as the location of an
> HTTP redirect (or equivalent in other protocols)
>     The owner is the URL that redirected to the javascript: URL.
> 
> This is NOT happening as of right now.. on any browser afaik. you can try!
> http://tinyurl.com/jsredirect
> 
> And preview: http://preview.tinyurl.com/jsredirect
> 
> The only "redirect" that executes JS are Refresh (via headers or meta).. but
> I wouldn't consider them an HTTP redirect.. per se..

Again, whether it executes or not is not a matter for the HTML5 spec to 
define; I just want to make sure that if it _does_, the origin is 
well-defined.

HTH,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 26 January 2010 01:34:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT