W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Javascript: URLs as element attributes

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 10 Feb 2011 10:38:54 -0800
Message-ID: <AANLkTimj3KR31RbNiWzum3f7psv+Yb7V_7XaUHp0Nqi2@mail.gmail.com>
On Thu, Feb 10, 2011 at 6:29 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 2/10/11 4:36 AM, Adam Barth wrote:
>> Apologies for not reading the whole thread before replying, but the
>> design Darin describes below has worked well in WebKit thus far. ?I'd
>> be hesitant to make JavaScript URLs work in more contexts due to the
>> risk of introducing security vulnerabilities into the engine.
>
> For what it's worth, Gecko treats javascript: URLs as a general protocol,
> but with tracking of where the URL came from required for the script to
> actually execute and explicit opt-in on the caller's part required to
> execute outside a sandbox.
>
> This too has worked well in terms of security, for what it's worth, while
> offering a lot more flexibility in terms of how and where javascript: URIs
> can work.
>
> I don't think we should gate the spec here on Webkit's implementation
> details if we think a certain behavior is correct but hard to support in
> Webkit....

The connection is that these features are unlikely to get implemented
in WebKit anytime soon.  To the extent that we want the spec to
reflect interoperable behavior across browsers, speccing things that
aren't (and aren't likely to become) interoperable is a net loss.

Adam
Received on Thursday, 10 February 2011 10:38:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC