W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Javascript: URLs as element attributes

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 11 Feb 2011 14:35:47 -0800
Message-ID: <AANLkTi=zVuieXUnuUnAJA_thHTukZwfo6DM6L7Ls2qof@mail.gmail.com>
On Fri, Feb 11, 2011 at 2:20 PM, Charles Pritchard <chuck at jumis.com> wrote:
> On 2/10/2011 12:09 PM, whatwg-request at lists.whatwg.org wrote:
>>
>> Date: Thu, 10 Feb 2011 13:43:11 -0500
>> From: Boris Zbarsky<bzbarsky at MIT.EDU>
>> To: Adam Barth<w3c at adambarth.com>
>>
>> On 2/10/11 1:38 PM, Adam Barth wrote:
>>>
>>> > ?The connection is that these features are unlikely to get implemented
>>> > ?in WebKit anytime soon. ?To the extent that we want the spec to
>>> > ?reflect interoperable behavior across browsers, speccing things that
>>> > ?aren't (and aren't likely to become) interoperable is a net loss.
>>
>> That's fine; I just think that if you mean "Don't specify this because
>> we don't want to implement it and will refuse to do so" you should just
>> say that instead of making it sound like there are unspecified security
>> issues with the proposal.
>
> Boris,
> It's more often your group that makes a stand with merit-less refusals.
> See devicePixelRatio and CSS scrollbar styling for an example of that.
>
> So, sure, I can see why you'd assume other groups would do the same.
>
>
> Adam,
>
> Would you be willing to dig up the bug report on webkit that documented your
> attempts
> to satisfy javascript: urls in embedding?
>
> I did a little bit of poking around, but didn't find it.

https://bugs.webkit.org/show_bug.cgi?id=9706
https://bugs.webkit.org/show_bug.cgi?id=12408

This is the bug I was thinking about (although not all the discussion
was captured in the bug):
https://bugs.webkit.org/show_bug.cgi?id=16855

Most directly related is this bug, which unfortunately is marked
security-sensitive.  I've added Boris to the CC list of this bug, but
unfortunately I can't open it up to the public at the moment:

https://bugs.webkit.org/show_bug.cgi?id=41483

> I agree that data-uris are much easier/preferable, but I'd still like to see
> where the conversation went
> on the webkit dev list and/or bug list.

Hopefully the links above are helpful.  Not all the discussion is
captured in the bug database.  Some of it happens on mailing lists and
in IRC (as well as in person).

Adam
Received on Friday, 11 February 2011 14:35:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC