- From: <sird@rckc.at>
- Date: Tue, 26 Jan 2010 09:50:48 +0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-web-security@w3.org
- Message-ID: <8ba534861001251750o14ece807ne194e1672fadbdc7@mail.gmail.com>
Ohh I got scared for a while! :) Thanks for your time Ian! Greetings!! -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, 33, China On Tue, Jan 26, 2010 at 9:34 AM, Ian Hickson <ian@hixie.ch> wrote: > On Mon, 7 Dec 2009, Eduardo Vela wrote: > > > > It says: > > If a script is a javascript: URL in a style sheet > > The owner is the URL of the style sheet. > > > > That means javascript URIs will be allowed? > > No, it just defines the origin of the javascript: URL. Whether javascript: > works in CSS is an issue for the CSS and javascript: URL specifications. > > > > If a script is a javascript: URL that was returned as the location of an > > HTTP redirect (or equivalent in other protocols) > > The owner is the URL that redirected to the javascript: URL. > > > > This is NOT happening as of right now.. on any browser afaik. you can > try! > > http://tinyurl.com/jsredirect > > > > And preview: http://preview.tinyurl.com/jsredirect > > > > The only "redirect" that executes JS are Refresh (via headers or meta).. > but > > I wouldn't consider them an HTTP redirect.. per se.. > > Again, whether it executes or not is not a matter for the HTML5 spec to > define; I just want to make sure that if it _does_, the origin is > well-defined. > > HTH, > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >
Received on Tuesday, 26 January 2010 01:51:42 UTC