- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 16 Nov 2010 01:15:45 +0000 (UTC)
On Wed, 11 Aug 2010, Cris Neckar wrote: > > The HTML5 Spec is somewhat ambiguous on the handling of javascript: URLs > when supplied as attributes to different elements. It does not > specifically prohibit handling them in most cases but I was wondering if > this has been discussed and whether there is consensus on correct > behavior. I don't understand what's ambiguous. As far as I can tell the spec covers all the cases you describe in detail. On Wed, 11 Aug 2010, Boris Zbarsky wrote: > > Gecko's currently-intended behavior is to do what section 6.1.5 > describes in all cases except: > > <iframe src="javascript:"> > <object data="javascript:"> > <embed src="javascript:"> > <applet code="javascript:"> What does it do for those cases if it doesn't match the spec? I presume <script src="javascript:"> is also special; the HTML spec handles that one separately (it does nothing, for historical reasons). > > Has there been discussion on this in the past? If not we should work > > towards defining which of these we want to allow and which we should > > block. > > Agreed. > > For what it's worth, as I see it there are three possible behaviors for > a javascript: URI (whether in an attribute value or elsewhere): > > 1) Don't run the script. > 2) Run the script, but in a sandbox. > 3) Run the script against some Window object (which one?) > > Defining which of these happens in which case would be good. Again, > Gecko's behavior is #2 by default (in all sorts of situations; basically > anywhere you can dereference a URI), with exceptions made to do #3 in > some cases. That's what the spec says currently. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 15 November 2010 17:15:45 UTC