- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 10 Feb 2011 09:29:17 -0500
On 2/10/11 4:36 AM, Adam Barth wrote: > Apologies for not reading the whole thread before replying, but the > design Darin describes below has worked well in WebKit thus far. I'd > be hesitant to make JavaScript URLs work in more contexts due to the > risk of introducing security vulnerabilities into the engine. For what it's worth, Gecko treats javascript: URLs as a general protocol, but with tracking of where the URL came from required for the script to actually execute and explicit opt-in on the caller's part required to execute outside a sandbox. This too has worked well in terms of security, for what it's worth, while offering a lot more flexibility in terms of how and where javascript: URIs can work. I don't think we should gate the spec here on Webkit's implementation details if we think a certain behavior is correct but hard to support in Webkit.... -Boris
Received on Thursday, 10 February 2011 06:29:17 UTC