- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 11 Aug 2010 15:07:32 -0400
On 8/11/10 2:57 PM, Cris Neckar wrote: > 6.1.5 > "So for example a javascript: URL for a src attribute of an img > element would be evaluated in the context of an empty object as soon > as the attribute is set; it would then be sniffed to determine the > image type and decoded as an image." Right. > Browsers currently deal with these in a fairly ad-hoc way. I used the > following to test a few examples in various browsers. Your test is assuming an "alert" property on the scope chain, and that the value of the property is a function. The first assumption would be false in the situation described in 6.1.5, since an empty object would have no such property. > Firefox 3.6.3: Allows object.data, applet.code, and embed.src. Blocks > all others. > Firefox 3.7.863: Allows object.data and embed.src. Blocks all others. Gecko's currently-intended behavior is to do what section 6.1.5 describes in all cases except: <iframe src="javascript:"> <object data="javascript:"> <embed src="javascript:"> <applet code="javascript:"> > Has there been discussion on this in the past? If not we should work > towards defining which of these we want to allow and which we should > block. Agreed. For what it's worth, as I see it there are three possible behaviors for a javascript: URI (whether in an attribute value or elsewhere): 1) Don't run the script. 2) Run the script, but in a sandbox. 3) Run the script against some Window object (which one?) Defining which of these happens in which case would be good. Again, Gecko's behavior is #2 by default (in all sorts of situations; basically anywhere you can dereference a URI), with exceptions made to do #3 in some cases. -Boris
Received on Wednesday, 11 August 2010 12:07:32 UTC