Re: <iframe doc=""> from Michael A. Puls II on 2010-01-17 (public-html@w3.org from January 2010)

From: Michael A. Puls II <shadow2531@gmail.com>
Date: Sun, 17 Jan 2010 00:16:34 -0500
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: "public-html WG" <public-html@w3.org>
Message-ID: <op.u6nvlsb91ejg13@sandra-svwliu01>

On Sat, 16 Jan 2010 21:54:33 -0500, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 1/16/10 8:54 PM, Michael A. Puls II wrote:
>> <!DOCTYPE html>
>> <html>
>> <head>
>> <meta charset="utf-8">
>> <title></title>
>> </head>
>> <body>
>> <iframe doc='<!DOCTYPE html>
>> <html>
>> <head>
>> <meta charset="utf-8">
>> <title>test</title>
>> </head>
>> <body>
>> <p>test</p>
>> </body>
>> </html>'></iframe>
>> </body>
>> </html>
>
> Try this in a Gecko-based browser:
>
> <!DOCTYPE html>
> <html>
>      <head>
>          <meta charset="utf-8">
>          <title></title>
>      </head>
>      <body>
>          <iframe src='data:text/html,<!DOCTYPE html>
> <html>
>      <head>
>          <meta charset="utf-8">
>          <title>test</title>
>      </head>
>      <body>
>          <p>test</p>
>      </body>
> </html>'></iframe>
>      </body>
> </html>
>
> Yes, that's technically not a valid data: URI.  Perhaps it's worth just  
> making it valid?

Well, few properly percent-encode javascript URIs for bookmarklets etc.  
Perhaps we can get away with it with data URIs too since browsers use  
non-strict percent-decoding.

However, when one does this, one has remember that the consumer of the URI  
still treats it as percent-encoded data and not a literal. This means that  
if you want a literal %5E, you still need to do %255E.

I try to always properly percent-encode the data in data: and javascript:  
URIs to avoid this because sometimes I forget and run into things being  
treated as %HH because I forgot to escape them.

You'll run into this almost any time you try to include a non-basic link  
in a non-percent-encoded data URI.

For @doc specifically, the browser could treat the data URI as completely  
literal to avoid this. But, then there's not much point in @doc beginning  
with "data:text/html;charset=utf-8," for example.

>> @doc is way more readable (the @ value at least), easier to author by
>> hand, and tends to use less bytes than data URIs (although that might
>> depend on how much you have to use entities so the markup doesn't break
>> out of the attribute).
>
> The data: URI as used above will of course always use a few more bytes  
> for the "data:text/html," part...
>
>> But, as far as security, I don't remember what @doc has over
>> @src="data:". I think it was mentioned though and had something to do
>> with origin problems with src="data:".
>
> Specifically that some current UAs put src="data:" in the origin of the  
> parent page?

Ah, I see.

-- 
Michael

Received on Sunday, 17 January 2010 05:17:09 UTC