[whatwg] Javascript: URLs as element attributes from Philip Jägenstedt on 2010-12-01 (public-whatwg-archive@w3.org from December 2010)

From: Philip Jägenstedt <philipj@opera.com>
Date: Wed, 01 Dec 2010 09:16:54 +0100
Message-ID: <op.vm0zygg7sr6mfa@kirk>
On Tue, 30 Nov 2010 20:30:31 +0100, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 11/30/10 4:35 AM, Philip J?genstedt wrote:
>> No, as far as I know, Opera hasn't ever sandboxed any inline javascript:
>> URL execution.
>
> So <img src="javascript:"> runs the JS in the page's context in Opera?

No, <img> was on the list of inlines where javascript: URL execution was  
explicitly blocked. However, in the contexts where javascript: URLs did  
execute, they did so in the containing document's context. (See my first  
mail in this thread for both lists.)

>>> Also, note that <embed src="javascript:"> and <applet
>>> something="javascript:"> (can't recall the attr name right now) also
>>> execute the script in Firefox. Do they in Opera?
>>
>> Neither of these execute in Opera, both were explicitly blocked before I
>> started looking into the issue. Note that I can't get <applet
>> something="javascript:"> to execute in Firefox either, perhaps it needs
>> a special value for "something"
>
> Right; see the "can't recall" bit above.  code="javascript:" maybe?
>
>> or the Java plugin must be installed?
>
> This might be needed too, yes.

Someone who manages to install a working Java plugin might want to test  
this. It doesn't seem like it could be a compat issue to me.

>> It seems to me that after sandboxing, javascript: URLs will be quite
>> useless. You can only use them where the content is text
>
> That's not the case, actually.  At least in Gecko, the return value  
> string is examined to see whether all the charcode values are < 255.  If  
> they are, then the string is converted to a byte array by just dropping  
> the high byte of every char.  So you can pretty easily generate image  
> data this way.
>
> If any of the bytes are > 255, then the string is encoded as UTF-8  
> instead.

Do you do that just for inlines, or also when navigating to javascript:  
URLs? If it's both, then that's something we'd need to standardize, unless  
all browsers already do the same.

>> and the script has to be completely self-confined
>
> Indeed.
>
>> Using data: URLs will allow you to
>> generate the data in the outer environment, and it's possible to
>> generate binary data.
>
> Right.  Now that data: support is universal, there may be a lot less  
> need for javascript: returning data, except for compat reasons.

Indeed, so the question is just what the compat constraints are.

>> So far, it seems that the fastest way to reach compat between browsers
>> is to simply not run inline javascript: URLs.
>
> Except for frames/iframes, right?

Right, these aren't inlines, in Opera terminology at least. As far as I  
can see the spec agrees on this, as frames/iframes have their own browsing  
contexts.

-- 
Philip J?genstedt
Core Developer
Opera Software
Received on Wednesday, 1 December 2010 00:16:54 UTC