- From: Mark Baker <distobj@acm.org>
- Date: Tue, 2 Oct 2007 12:53:58 -0400
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "Web API WG (public)" <public-webapi@w3.org>
On 10/2/07, Anne van Kesteren <annevk@opera.com> wrote:
>
> On Tue, 25 Sep 2007 14:52:17 +0200, Anne van Kesteren <annevk@opera.com>
> wrote:
> > It would be nice to get some implementation feedback on what to do about
> > data:, javascript: etc.
>
> Determining the origin of data:, javascript: URIs when they are
> responsible for making the request is defined by HTML5, but it's not
> really clear to me what should happen when somebody does:
>
> 1. client.open("data:...")
> 2. client.open("javascript:...")
>
> should that always work or always throw? Testing shows that browsers throw
> (Firefox, Internet Explorer, Opera), except that Opera allows access to
> data:. The simplest thing to do would be to disallow everything that does
> not have any of the scheme, ihost or port components, but I'm open to
> other suggestions.
Opera's behaviour sounds sensible. I'd throw on javascript: because
the embedded script could do arbitrary things, whereas the calling
script presumably expects open() to have predictable side effects.
I suppose that a data:text/javascript,... URI should also throw if it
the agent would otherwise execute the embedded script. But I see no
harm in permitting any other non-executable-content data: URIs to be
open()ed.
Mark.
--
Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca
Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Tuesday, 2 October 2007 16:54:11 UTC