[css-images][css-values] banning javascript: urls

As shown in this presentation, firefox used to let you load "javascript:" urls as <image> values, and do fun things like freeze the browser.

https://www.youtube.com/watch?feature=player_detailpage&v=WjP7TEKB7Uo#t=1542

As far as I can tell, this no longer reproduces, but this should probably be explicitly forbidden by the spec anyway.

 - Florian

Received on Wednesday, 6 May 2015 20:52:00 UTC