XHR data: and javascript: requests (was: Re: XHR: definition of same-origin) from Anne van Kesteren on 2007-10-02 (public-webapi@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 02 Oct 2007 17:21:55 +0200
To: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.tzksytqu64w2qv@annevk-t60.oslo.opera.com>

On Tue, 25 Sep 2007 14:52:17 +0200, Anne van Kesteren <annevk@opera.com>  
wrote:
> It would be nice to get some implementation feedback on what to do about  
> data:, javascript: etc.

Determining the origin of data:, javascript: URIs when they are  
responsible for making the request is defined by HTML5, but it's not  
really clear to me what should happen when somebody does:

  1. client.open("data:...")
  2. client.open("javascript:...")

should that always work or always throw? Testing shows that browsers throw  
(Firefox, Internet Explorer, Opera), except that Opera allows access to  
data:. The simplest thing to do would be to disallow everything that does  
not have any of the scheme, ihost or port components, but I'm open to  
other suggestions.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Tuesday, 2 October 2007 15:22:05 UTC