W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

XHR data: and javascript: requests (was: Re: XHR: definition of same-origin)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 02 Oct 2007 17:21:55 +0200
To: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.tzksytqu64w2qv@annevk-t60.oslo.opera.com>

On Tue, 25 Sep 2007 14:52:17 +0200, Anne van Kesteren <annevk@opera.com>  
> It would be nice to get some implementation feedback on what to do about  
> data:, javascript: etc.

Determining the origin of data:, javascript: URIs when they are  
responsible for making the request is defined by HTML5, but it's not  
really clear to me what should happen when somebody does:

  1. client.open("data:...")
  2. client.open("javascript:...")

should that always work or always throw? Testing shows that browsers throw  
(Firefox, Internet Explorer, Opera), except that Opera allows access to  
data:. The simplest thing to do would be to disallow everything that does  
not have any of the scheme, ihost or port components, but I'm open to  
other suggestions.

Anne van Kesteren
Received on Tuesday, 2 October 2007 15:22:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:57 UTC