W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2014

Re: [whatwg] Stricter data URL policy

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jul 2014 22:16:13 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Message-ID: <alpine.DEB.2.00.1407102215070.17684@ps20323.dreamhostps.com>
Cc: WHATWG <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
On Wed, 9 Jul 2014, Jonas Sicking wrote:
> But javascript: is sort of screwed no matter what. A javascript URL 
> inheritely will run javascript, and it always does so in the origin of 
> whoever set the url. So pages will have to look for javascript: anytime 
> they are handling URLs.
> But it's better if pages only have to look for javascript: when handling 
> URLs. Rather than having to look for javascript:, data:, blob: and 
> nextbigthing:.
> I'd love to simply deprecate javascript:. It doesn't seem like the use 
> cases are worth the complexity for both implementations and authors. But 
> I think it's too commonly used these days to get rid of. At least for 
> quite some time. About 100x the usage of sync XHR if [1] means that I 
> guess it means.

Note that 'javascript:' at this point is about as deprecated as I think we 
can get it. It's just special-cased logic in the navigation algorithm. 
Everywhere else, it just gets treated as an unknown URL scheme.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 July 2014 22:16:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:21 UTC