Re: XHR data: and javascript: requests from Anne van Kesteren on 2007-10-04 (public-webapi@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 04 Oct 2007 15:18:09 +0200
To: "Mark Baker" <distobj@acm.org>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.tzockjlh64w2qv@annevk-t60.oslo.opera.com>

On Tue, 02 Oct 2007 18:53:58 +0200, Mark Baker <distobj@acm.org> wrote:
> Opera's behaviour sounds sensible.  I'd throw on javascript: because
> the embedded script could do arbitrary things, whereas the calling
> script presumably expects open() to have predictable side effects.
>
> I suppose that a data:text/javascript,... URI should also throw if it
> the agent would otherwise execute the embedded script.  But I see no
> harm in permitting any other non-executable-content data: URIs to be
> open()ed.

data:text/javascript would act the same as simply loading a JavaScript  
file. There's no execution involved there so that's safe. I've allowed  
data: URIs now:

   http://dev.w3.org/2006/webapi/XMLHttpRequest/


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Thursday, 4 October 2007 13:18:22 UTC