W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2010

[whatwg] Javascript: URLs as element attributes

From: Philip Jägenstedt <philipj@opera.com>
Date: Thu, 25 Nov 2010 15:10:08 +0100
Message-ID: <op.vmqca4xzsr6mfa@kirk>
On Tue, 16 Nov 2010 02:15:45 +0100, Ian Hickson <ian at hixie.ch> wrote:

> On Wed, 11 Aug 2010, Boris Zbarsky wrote:
>>
>> For what it's worth, as I see it there are three possible behaviors for
>> a javascript: URI (whether in an attribute value or elsewhere):
>>
>> 1)  Don't run the script.
>> 2)  Run the script, but in a sandbox.
>> 3)  Run the script against some Window object (which one?)
>>
>> Defining which of these happens in which case would be good.  Again,
>> Gecko's behavior is #2 by default (in all sorts of situations; basically
>> anywhere you can dereference a URI), with exceptions made to do #3 in
>> some cases.
>
> That's what the spec says currently.

I've recently had reason to dabble with inline javascript: URLs in Opera,  
trying to figure out what the interoperability constraints are.

Opera's current behavior is to execute javascript: URLs except for in the  
context of <img>, <embed>, <applet> and any inline loads from CSS.

Before I was aware of this thread, I went through the different kinds of  
contexts where we do allow javascript: to execute, comparing to other  
browsers. The results:

<video poster="javascript:..."> only executed by Opera

<script src="javascript:..."> only executed by Opera

<bgsound src="javascript:..."> only executed by Opera

<object data="javascript:..."> only executed by Opera and Firefox

(I haven't looked at <iframe>, as we don't treat that as an inline load in  
the same way as the above.)

Based on this, unless there are corner-cases I've missed, it seems  
unlikely that there's a large body of web content that depends on inline  
javascript: URLs executing. My current plan is to try completely blocking  
javascript: URLs in the contexts mentioned above. This seems to be the  
simplest to implement and the fastest way to reach interoperability. The  
alternative is to start executing javascript: URLs in more contexts,  
which, even if sandboxed, doesn't seem particularly useful.

I'll keep you posted if there are any compatibility issues that come up  
with this. Assuming (boldly) there is not, would there be support from  
other browsers to move in this direction and change the spec to match? (It  
seems that IE and WebKit are already basically already doing what I'm  
advocating.)

-- 
Philip J?genstedt
Core Developer
Opera Software
Received on Thursday, 25 November 2010 06:10:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:28 UTC