- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 28 Sep 2012 18:26:33 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: whatwg@lists.whatwg.org
On Fri, 28 Sep 2012, Boris Zbarsky wrote: > > If you're trying to define behavior for various cases of javascript:, > you should consider defining the following, to the extent that they're > not already defined: > > 1) Whether the script executes (compare <img src> vs <iframe src>), > but note that some UAs _do_ run the script for <img src>, but in > a sandbox). This is specced in HTML, though HTML doesn't match all the UAs; many UAs have more paranoid behaviour than I think is necessary. > 2) When the script evaluates (sync vs async, say). That's specced. > 3) The global object the script evaluates against. This is specced also. > 4) The origin and effective script origin of the script. Definitely specced. > 5) What happens when this doesn't match the origin or effective script > origin or whatever of the global object the script is evaluating > against. I think this is specced. Can you elaborate on what you mean? > 6) Interactions with sandboxed iframes and CSP. What happens when > the parent page sets the location of a sandboxed iframe to a > javascript: URI, for example? I would be slightly shocked if > there is UA interop here. This is specced, though it might not be right. I haven't checked recently. > 7) Handling of the return value of the script. I believe this is specced. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 28 September 2012 18:27:19 UTC