- From: Philip Jägenstedt <philipj@opera.com>
- Date: Thu, 25 Nov 2010 15:10:08 +0100
On Tue, 16 Nov 2010 02:15:45 +0100, Ian Hickson <ian at hixie.ch> wrote: > On Wed, 11 Aug 2010, Boris Zbarsky wrote: >> >> For what it's worth, as I see it there are three possible behaviors for >> a javascript: URI (whether in an attribute value or elsewhere): >> >> 1) Don't run the script. >> 2) Run the script, but in a sandbox. >> 3) Run the script against some Window object (which one?) >> >> Defining which of these happens in which case would be good. Again, >> Gecko's behavior is #2 by default (in all sorts of situations; basically >> anywhere you can dereference a URI), with exceptions made to do #3 in >> some cases. > > That's what the spec says currently. I've recently had reason to dabble with inline javascript: URLs in Opera, trying to figure out what the interoperability constraints are. Opera's current behavior is to execute javascript: URLs except for in the context of <img>, <embed>, <applet> and any inline loads from CSS. Before I was aware of this thread, I went through the different kinds of contexts where we do allow javascript: to execute, comparing to other browsers. The results: <video poster="javascript:..."> only executed by Opera <script src="javascript:..."> only executed by Opera <bgsound src="javascript:..."> only executed by Opera <object data="javascript:..."> only executed by Opera and Firefox (I haven't looked at <iframe>, as we don't treat that as an inline load in the same way as the above.) Based on this, unless there are corner-cases I've missed, it seems unlikely that there's a large body of web content that depends on inline javascript: URLs executing. My current plan is to try completely blocking javascript: URLs in the contexts mentioned above. This seems to be the simplest to implement and the fastest way to reach interoperability. The alternative is to start executing javascript: URLs in more contexts, which, even if sandboxed, doesn't seem particularly useful. I'll keep you posted if there are any compatibility issues that come up with this. Assuming (boldly) there is not, would there be support from other browsers to move in this direction and change the spec to match? (It seems that IE and WebKit are already basically already doing what I'm advocating.) -- Philip J?genstedt Core Developer Opera Software
Received on Thursday, 25 November 2010 06:10:08 UTC