Re: [css-images][css-values] banning javascript: urls

On Wed, May 6, 2015 at 2:59 PM, Florian Rivoal <florian@rivoal.net> wrote:
>> On 06 May 2015, at 23:46, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> On Wed, May 6, 2015 at 1:51 PM, Florian Rivoal <florian@rivoal.net> wrote:
>>> As shown in this presentation, firefox used to let you load "javascript:" urls as <image> values, and do fun things like freeze the browser.
>>>
>>> https://www.youtube.com/watch?feature=player_detailpage&v=WjP7TEKB7Uo#t=1542
>>>
>>> As far as I can tell, this no longer reproduces, but this should probably be explicitly forbidden by the spec anyway.
>>
>> Once I rebase CSS's loading behavior on top of the Fetch spec,
>> javascript: urls will stop working per spec.
>>
>> (I don't think I can do much about loading file:///dev/tty, or
>> fil:///dev/urandom, or similar bad files.)
>
> Sounds like a plan. When do you plan to do that?

Sometime this year.

~TJ

Received on Wednesday, 6 May 2015 23:05:28 UTC