W3C home > Mailing lists > Public > www-style@w3.org > May 2015

Re: [css-images][css-values] banning javascript: urls

From: Henrik Andersson <henke@henke37.cjb.net>
Date: Wed, 06 May 2015 23:09:17 +0200
Message-ID: <554A82FD.6040803@henke37.cjb.net>
To: Florian Rivoal <florian@rivoal.net>, www-style list <www-style@w3.org>
Florian Rivoal skrev:
> As shown in this presentation, firefox used to let you load "javascript:" urls as <image> values, and do fun things like freeze the browser.
> https://www.youtube.com/watch?feature=player_detailpage&v=WjP7TEKB7Uo#t=1542
> As far as I can tell, this no longer reproduces, but this should probably be explicitly forbidden by the spec anyway.
>  - Florian
Why stop at javascript? Lets just ban all funny urls that lead to
surprises! I am <i>sure</i> that there is an authoritative list on
protocols that have side effects.
Received on Wednesday, 6 May 2015 21:09:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:54 UTC