W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: javascript URIs on stylesheets/redirections

From: <sird@rckc.at>
Date: Tue, 26 Jan 2010 09:50:48 +0800
Message-ID: <8ba534861001251750o14ece807ne194e1672fadbdc7@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-web-security@w3.org
Ohh I got scared for a while! :)

Thanks for your time Ian!

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Jan 26, 2010 at 9:34 AM, Ian Hickson <ian@hixie.ch> wrote:

> On Mon, 7 Dec 2009, Eduardo Vela wrote:
> >
> > It says:
> > If a script is a javascript: URL in a style sheet
> >     The owner is the URL of the style sheet.
> >
> > That means javascript URIs will be allowed?
>
> No, it just defines the origin of the javascript: URL. Whether javascript:
> works in CSS is an issue for the CSS and javascript: URL specifications.
>
>
> > If a script is a javascript: URL that was returned as the location of an
> > HTTP redirect (or equivalent in other protocols)
> >     The owner is the URL that redirected to the javascript: URL.
> >
> > This is NOT happening as of right now.. on any browser afaik. you can
> try!
> > http://tinyurl.com/jsredirect
> >
> > And preview: http://preview.tinyurl.com/jsredirect
> >
> > The only "redirect" that executes JS are Refresh (via headers or meta)..
> but
> > I wouldn't consider them an HTTP redirect.. per se..
>
> Again, whether it executes or not is not a matter for the HTML5 spec to
> define; I just want to make sure that if it _does_, the origin is
> well-defined.
>
> HTH,
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
Received on Tuesday, 26 January 2010 01:51:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT