- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 22 Jun 2011 13:34:21 -0400
On 6/22/11 11:51 AM, Hallvord R. M. Steen wrote: > Opera actually does a check earlier - there is an origin check if a > script attempts to set location / location.href to a string that starts > with javascript:. That's fine, as long as there is _also_ a check right before the script runs. > (This model is of course safe if the javascript: URL > executes immediately. Indeed, which is not the case in many UAs and not the case in the spec last I checked... unless that's changed? > Well, I somewhat disagree with the "doesn't make much sense" claim here > ;). Throwing an exception from the async attempt to execute would do ... what exactly? > It made sense to me to inform either the setting script Which isn't on the stack anymore by the time the exception is thrown? > or the script inside the javascript: URL itself Which isn't getting run? -Boris
Received on Wednesday, 22 June 2011 10:34:21 UTC