W3C home > Mailing lists > Public > www-style@w3.org > May 2015

Re: [css-images][css-values] banning javascript: urls

From: Florian Rivoal <florian@rivoal.net>
Date: Wed, 6 May 2015 23:59:24 +0200
Cc: www-style list <www-style@w3.org>
Message-Id: <5579E1A7-BF01-42BF-B57A-21BE96657B22@rivoal.net>
To: "Tab Atkins Jr." <jackalmage@gmail.com>

> On 06 May 2015, at 23:46, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> 
> On Wed, May 6, 2015 at 1:51 PM, Florian Rivoal <florian@rivoal.net> wrote:
>> As shown in this presentation, firefox used to let you load "javascript:" urls as <image> values, and do fun things like freeze the browser.
>> 
>> https://www.youtube.com/watch?feature=player_detailpage&v=WjP7TEKB7Uo#t=1542
>> 
>> As far as I can tell, this no longer reproduces, but this should probably be explicitly forbidden by the spec anyway.
> 
> Once I rebase CSS's loading behavior on top of the Fetch spec,
> javascript: urls will stop working per spec.
> 
> (I don't think I can do much about loading file:///dev/tty, or
> fil:///dev/urandom, or similar bad files.)

Sounds like a plan. When do you plan to do that?

That also means we'll get to do "background: url('about:unicorn')" [1], which sounds like good news to me.

 - Florian

[1] https://fetch.spec.whatwg.org/#unicorn
Received on Wednesday, 6 May 2015 21:59:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:54 UTC