On Tue, 25 Sep 2007 14:52:17 +0200, Anne van Kesteren <annevk@opera.com> wrote: > It would be nice to get some implementation feedback on what to do about > data:, javascript: etc. Determining the origin of data:, javascript: URIs when they are responsible for making the request is defined by HTML5, but it's not really clear to me what should happen when somebody does: 1. client.open("data:...") 2. client.open("javascript:...") should that always work or always throw? Testing shows that browsers throw (Firefox, Internet Explorer, Opera), except that Opera allows access to data:. The simplest thing to do would be to disallow everything that does not have any of the scheme, ihost or port components, but I'm open to other suggestions. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Tuesday, 2 October 2007 15:22:05 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT