W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: javascript URIs on stylesheets/redirections

From: <sird@rckc.at>
Date: Tue, 26 Jan 2010 18:44:39 +0800
Message-ID: <8ba534861001260244w1138a745ya326e944af72cb9d@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
as of right now, stuff like

@import url('javascript:code-here');

runs in a sandboxed context (on Firefox), maybe the same could apply for
this?

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China

On Tue, Jan 26, 2010 at 6:38 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> 2010/1/26 Ian Hickson <ian@hixie.ch>
>
>> Again, whether it executes or not is not a matter for the HTML5 spec to
>> define; I just want to make sure that if it _does_, the origin is
>> well-defined.
>>
>
> Why not? What possible use could it be to execute javascript from that
> context? If we define past mistakes at spec. level then those mistakes
> aren't likely to be repeated no?
>
Received on Tuesday, 26 January 2010 10:45:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT