W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Javascript: URLs as element attributes

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 10 Feb 2011 01:36:58 -0800
Message-ID: <AANLkTinPCw_mzxDM_DyLaTyn3PTN+upXE4GvwTwj=Fjt@mail.gmail.com>
Apologies for not reading the whole thread before replying, but the
design Darin describes below has worked well in WebKit thus far.  I'd
be hesitant to make JavaScript URLs work in more contexts due to the
risk of introducing security vulnerabilities into the engine.


On Tue, Nov 30, 2010 at 11:37 AM, Darin Adler <darin at apple.com> wrote:
> In WebKit, we have treated the javascript URL scheme as a special case, with explicit code in the loader, and not handled by general purpose resource protocol machinery. Maciej Stachowiak suggested this approach, back in 2002, and one of the reasons he gave me at the time is that thought WebKit would be more likely to get the security policy right if code paths opted in to JavaScript execution rather than opting out of javascript URL scheme handling.
> ? ?-- Darin
Received on Thursday, 10 February 2011 01:36:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC