W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Javascript: URLs as element attributes

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 10 Feb 2011 09:29:17 -0500
Message-ID: <4D53F63D.4030504@mit.edu>
On 2/10/11 4:36 AM, Adam Barth wrote:
> Apologies for not reading the whole thread before replying, but the
> design Darin describes below has worked well in WebKit thus far.  I'd
> be hesitant to make JavaScript URLs work in more contexts due to the
> risk of introducing security vulnerabilities into the engine.

For what it's worth, Gecko treats javascript: URLs as a general 
protocol, but with tracking of where the URL came from required for the 
script to actually execute and explicit opt-in on the caller's part 
required to execute outside a sandbox.

This too has worked well in terms of security, for what it's worth, 
while offering a lot more flexibility in terms of how and where 
javascript: URIs can work.

I don't think we should gate the spec here on Webkit's implementation 
details if we think a certain behavior is correct but hard to support in 
Webkit....

-Boris
Received on Thursday, 10 February 2011 06:29:17 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC