W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

Re: XHR data: and javascript: requests

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 04 Oct 2007 15:18:09 +0200
To: "Mark Baker" <distobj@acm.org>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.tzockjlh64w2qv@annevk-t60.oslo.opera.com>

On Tue, 02 Oct 2007 18:53:58 +0200, Mark Baker <distobj@acm.org> wrote:
> Opera's behaviour sounds sensible.  I'd throw on javascript: because
> the embedded script could do arbitrary things, whereas the calling
> script presumably expects open() to have predictable side effects.
> I suppose that a data:text/javascript,... URI should also throw if it
> the agent would otherwise execute the embedded script.  But I see no
> harm in permitting any other non-executable-content data: URIs to be
> open()ed.

data:text/javascript would act the same as simply loading a JavaScript  
file. There's no execution involved there so that's safe. I've allowed  
data: URIs now:


Anne van Kesteren
Received on Thursday, 4 October 2007 13:18:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:24 UTC