- From: Justin James <j_james@mindspring.com>
- Date: Tue, 12 Aug 2008 00:18:41 -0400
- To: "'Ian Hickson'" <ian@hixie.ch>, "'Boris Zbarsky'" <bzbarsky@MIT.EDU>
- Cc: "'Toby A Inkster'" <tai@g5n.co.uk>, <public-html@w3.org>
> -----Original Message-----
> From: Ian Hickson [mailto:ian@hixie.ch]
> Sent: Monday, August 11, 2008 8:23 PM
> To: Boris Zbarsky
> Cc: Justin James; 'Toby A Inkster'; public-html@w3.org
> Subject: Re: <script src=javascript:"..."> should do nothing
>
> On Mon, 11 Aug 2008, Boris Zbarsky wrote:
> >
> > Justin James wrote:
> > > If other @src's allow javascript:, why *wouldn't* we allow it in
> <script>?
> >
> > The spec currently does.
>
> Actually right now the spec specifically says that javascript: in
> <script
> src=""> does nothing, for compatiblity with existing UAs. (I doubt that
> the three biggest UAs would all ignore javascript: in this one specific
> case if there wasn't content relying on that, so it seems unwise to not
> also require this in the spec.)
What content could possibly count on the *lack* of support for something
like this? I am just not able to conceive of a situation where someone says:
<script src="javascript:alert('The surprise is on you, I don't work!');" />
And then requires the browser to ignore it.
I suspect that the reasoning is one of the following (but can't confirm
without input from representatives of the browsers, of course):
* It never occurred to anyone to support javascript: URLs in the @src, since
using the <script> element anyways lets you put JavaScript in as content.
* There is a perceived (real or imagined) security risk here.
* The HTML 4 spec may not have explicitly said to support this, so no one
did.
Just some thoughts. But most importantly, I cannot envision any scenario
where a developer would bank on a browser not interpreting a javascript: URL
in the @src of <script>.
J.Ja
Received on Tuesday, 12 August 2008 04:19:42 UTC