W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

Re: javascript URIs on stylesheets/redirections

From: <sird@rckc.at>
Date: Tue, 26 Jan 2010 18:44:39 +0800
Message-ID: <8ba534861001260244w1138a745ya326e944af72cb9d@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
as of right now, stuff like

@import url('javascript:code-here');

runs in a sandboxed context (on Firefox), maybe the same could apply for

-- Eduardo

Sent from Hangzhou, 33, China

On Tue, Jan 26, 2010 at 6:38 PM, gaz Heyes <gazheyes@gmail.com> wrote:

> 2010/1/26 Ian Hickson <ian@hixie.ch>
>> Again, whether it executes or not is not a matter for the HTML5 spec to
>> define; I just want to make sure that if it _does_, the origin is
>> well-defined.
> Why not? What possible use could it be to execute javascript from that
> context? If we define past mistakes at spec. level then those mistakes
> aren't likely to be repeated no?
Received on Tuesday, 26 January 2010 10:45:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC