- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 29 Nov 2010 10:36:32 -0500
On 11/25/10 9:10 AM, Philip J?genstedt wrote: > Based on this, unless there are corner-cases I've missed, it seems > unlikely that there's a large body of web content that depends on inline > javascript: URLs executing. My current plan is to try completely > blocking javascript: URLs in the contexts mentioned above. This seems to > be the simplest to implement and the fastest way to reach > interoperability. The alternative is to start executing javascript: URLs > in more contexts, which, even if sandboxed, doesn't seem particularly > useful. Does Opera sandbox <object data="javascript:">? Note that Firefox does not. Also, note that <embed src="javascript:"> and <applet something="javascript:"> (can't recall the attr name right now) also execute the script in Firefox. Do they in Opera? > I'll keep you posted if there are any compatibility issues that come up > with this. Assuming (boldly) there is not, would there be support from > other browsers to move in this direction and change the spec to match? > (It seems that IE and WebKit are already basically already doing what > I'm advocating.) The reason Firefox runs javascript: in <object> is <https://bugzilla.mozilla.org/show_bug.cgi?id=300263>. I could probably be convinced to either run it in a sandbox or not run altogether, though I would strongly prefer the sandbox approach.... -Boris
Received on Monday, 29 November 2010 07:36:32 UTC