W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

Re: [whatwg] URL: javascript URLs

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 28 Sep 2012 18:26:33 +0000 (UTC)
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Message-ID: <Pine.LNX.4.64.1209281817360.1904@ps20323.dreamhostps.com>
Cc: whatwg@lists.whatwg.org
On Fri, 28 Sep 2012, Boris Zbarsky wrote:
> 
> If you're trying to define behavior for various cases of javascript:, 
> you should consider defining the following, to the extent that they're 
> not already defined:
> 
> 1)  Whether the script executes (compare <img src> vs <iframe src>),
>     but note that some UAs _do_ run the script for <img src>, but in
>     a sandbox).

This is specced in HTML, though HTML doesn't match all the UAs; many UAs 
have more paranoid behaviour than I think is necessary.


> 2)  When the script evaluates (sync vs async, say).

That's specced.


> 3)  The global object the script evaluates against.

This is specced also.


> 4)  The origin and effective script origin of the script.

Definitely specced.


> 5)  What happens when this doesn't match the origin or effective script
>     origin or whatever of the global object the script is evaluating
>     against.

I think this is specced. Can you elaborate on what you mean?


> 6)  Interactions with sandboxed iframes and CSP.  What happens when
>     the parent page sets the location of a sandboxed iframe to a
>     javascript: URI, for example?  I would be slightly shocked if
>     there is UA interop here.

This is specced, though it might not be right. I haven't checked recently.


> 7)  Handling of the return value of the script.

I believe this is specced.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 28 September 2012 18:27:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:46 UTC