- From: Philip Jägenstedt <philipj@opera.com>
- Date: Wed, 01 Dec 2010 09:16:54 +0100
On Tue, 30 Nov 2010 20:30:31 +0100, Boris Zbarsky <bzbarsky at mit.edu> wrote: > On 11/30/10 4:35 AM, Philip J?genstedt wrote: >> No, as far as I know, Opera hasn't ever sandboxed any inline javascript: >> URL execution. > > So <img src="javascript:"> runs the JS in the page's context in Opera? No, <img> was on the list of inlines where javascript: URL execution was explicitly blocked. However, in the contexts where javascript: URLs did execute, they did so in the containing document's context. (See my first mail in this thread for both lists.) >>> Also, note that <embed src="javascript:"> and <applet >>> something="javascript:"> (can't recall the attr name right now) also >>> execute the script in Firefox. Do they in Opera? >> >> Neither of these execute in Opera, both were explicitly blocked before I >> started looking into the issue. Note that I can't get <applet >> something="javascript:"> to execute in Firefox either, perhaps it needs >> a special value for "something" > > Right; see the "can't recall" bit above. code="javascript:" maybe? > >> or the Java plugin must be installed? > > This might be needed too, yes. Someone who manages to install a working Java plugin might want to test this. It doesn't seem like it could be a compat issue to me. >> It seems to me that after sandboxing, javascript: URLs will be quite >> useless. You can only use them where the content is text > > That's not the case, actually. At least in Gecko, the return value > string is examined to see whether all the charcode values are < 255. If > they are, then the string is converted to a byte array by just dropping > the high byte of every char. So you can pretty easily generate image > data this way. > > If any of the bytes are > 255, then the string is encoded as UTF-8 > instead. Do you do that just for inlines, or also when navigating to javascript: URLs? If it's both, then that's something we'd need to standardize, unless all browsers already do the same. >> and the script has to be completely self-confined > > Indeed. > >> Using data: URLs will allow you to >> generate the data in the outer environment, and it's possible to >> generate binary data. > > Right. Now that data: support is universal, there may be a lot less > need for javascript: returning data, except for compat reasons. Indeed, so the question is just what the compat constraints are. >> So far, it seems that the fastest way to reach compat between browsers >> is to simply not run inline javascript: URLs. > > Except for frames/iframes, right? Right, these aren't inlines, in Opera terminology at least. As far as I can see the spec agrees on this, as frames/iframes have their own browsing contexts. -- Philip J?genstedt Core Developer Opera Software
Received on Wednesday, 1 December 2010 00:16:54 UTC