On 11/25/10 9:10 AM, Philip J?genstedt wrote: > Based on this, unless there are corner-cases I've missed, it seems > unlikely that there's a large body of web content that depends on inline > javascript: URLs executing. My current plan is to try completely > blocking javascript: URLs in the contexts mentioned above. This seems to > be the simplest to implement and the fastest way to reach > interoperability. The alternative is to start executing javascript: URLs > in more contexts, which, even if sandboxed, doesn't seem particularly > useful. Does Opera sandbox <object data="javascript:">? Note that Firefox does not. Also, note that <embed src="javascript:"> and <applet something="javascript:"> (can't recall the attr name right now) also execute the script in Firefox. Do they in Opera? > I'll keep you posted if there are any compatibility issues that come up > with this. Assuming (boldly) there is not, would there be support from > other browsers to move in this direction and change the spec to match? > (It seems that IE and WebKit are already basically already doing what > I'm advocating.) The reason Firefox runs javascript: in <object> is <https://bugzilla.mozilla.org/show_bug.cgi?id=300263>. I could probably be convinced to either run it in a sandbox or not run altogether, though I would strongly prefer the sandbox approach.... -BorisReceived on Monday, 29 November 2010 07:36:32 UTC
This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:28 UTC