- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Wed, 6 May 2015 14:46:35 -0700
- To: Florian Rivoal <florian@rivoal.net>
- Cc: www-style list <www-style@w3.org>
On Wed, May 6, 2015 at 1:51 PM, Florian Rivoal <florian@rivoal.net> wrote: > As shown in this presentation, firefox used to let you load "javascript:" urls as <image> values, and do fun things like freeze the browser. > > https://www.youtube.com/watch?feature=player_detailpage&v=WjP7TEKB7Uo#t=1542 > > As far as I can tell, this no longer reproduces, but this should probably be explicitly forbidden by the spec anyway. Once I rebase CSS's loading behavior on top of the Fetch spec, javascript: urls will stop working per spec. (I don't think I can do much about loading file:///dev/tty, or fil:///dev/urandom, or similar bad files.) ~TJ
Received on Wednesday, 6 May 2015 21:47:22 UTC