Re: [whatwg] Stricter data URL policy

On Wed, 9 Jul 2014, Jonas Sicking wrote:
> But javascript: is sort of screwed no matter what. A javascript URL 
> inheritely will run javascript, and it always does so in the origin of 
> whoever set the url. So pages will have to look for javascript: anytime 
> they are handling URLs.
> But it's better if pages only have to look for javascript: when handling 
> URLs. Rather than having to look for javascript:, data:, blob: and 
> nextbigthing:.
> I'd love to simply deprecate javascript:. It doesn't seem like the use 
> cases are worth the complexity for both implementations and authors. But 
> I think it's too commonly used these days to get rid of. At least for 
> quite some time. About 100x the usage of sync XHR if [1] means that I 
> guess it means.

Note that 'javascript:' at this point is about as deprecated as I think we 
can get it. It's just special-cased logic in the navigation algorithm. 
Everywhere else, it just gets treated as an unknown URL scheme.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 10 July 2014 22:16:40 UTC