- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 26 Jan 2010 01:34:07 +0000 (UTC)
- To: sird@rckc.at
- Cc: public-web-security@w3.org
On Mon, 7 Dec 2009, Eduardo Vela wrote: > > It says: > If a script is a javascript: URL in a style sheet > The owner is the URL of the style sheet. > > That means javascript URIs will be allowed? No, it just defines the origin of the javascript: URL. Whether javascript: works in CSS is an issue for the CSS and javascript: URL specifications. > If a script is a javascript: URL that was returned as the location of an > HTTP redirect (or equivalent in other protocols) > The owner is the URL that redirected to the javascript: URL. > > This is NOT happening as of right now.. on any browser afaik. you can try! > http://tinyurl.com/jsredirect > > And preview: http://preview.tinyurl.com/jsredirect > > The only "redirect" that executes JS are Refresh (via headers or meta).. but > I wouldn't consider them an HTTP redirect.. per se.. Again, whether it executes or not is not a matter for the HTML5 spec to define; I just want to make sure that if it _does_, the origin is well-defined. HTH, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 26 January 2010 01:34:36 UTC