[html5] r1501 - /

whatwg at whatwg.org whatwg at whatwg.org
Mon Apr 28 14:45:26 PDT 2008


Author: ianh
Date: 2008-04-28 14:45:23 -0700 (Mon, 28 Apr 2008)
New Revision: 1501

Modified:
   index
   source
Log:
[] (0) Tighten security a little: <img src='javascript:'> and javascript: in a style sheet should be in a sandbox.

Modified: index
===================================================================
--- index	2008-04-28 10:58:30 UTC (rev 1500)
+++ index	2008-04-28 21:45:23 UTC (rev 1501)
@@ -27154,8 +27154,7 @@
      <dt>If a script is a <a href="#the-javascript" title="javascript
       protocol"><code title="">javascript:</code> URI</a> in a style sheet
 
-     <dd>The origin is the origin of the <code>Document</code> to which the
-      style sheet applies.
+     <dd>The origin is the origin of the URI of the style sheet.
 
      <dt>If a script is a <a href="#the-javascript" title="javascript
       protocol"><code title="">javascript:</code> URI</a> to which a <a
@@ -27302,11 +27301,7 @@
    <em>different</em> <a href="#origin0">origin</a> than the script given by
    the URI, the dereference context must be an empty object.
 
-  <p>Otherwise, the dereference context must the <a
-   href="#browsing0">browsing context</a> of the <code>Document</code> to
-   which belongs the element for which the URI is being dereferenced, or to
-   which the style sheet for which the URI is being dereferenced applies,
-   whichever is appropriate.
+  <p>Otherwise, the dereference context must be an empty object.
 
   <p>URIs using the <code title="">javascript:</code> protocol should be
    evaluated when the resource for that URI is needed, unless <a
@@ -27333,8 +27328,8 @@
    <p>So for example a <code title="">javascript:</code> URI for a <code
     title=attr-img-src><a href="#src">src</a></code> attribute of an <code><a
     href="#img">img</a></code> element would be evaluated in the context of
-    the page as soon as the attribute is set; it would then be sniffed to
-    determine the image type and decoded as an image.</p>
+    an empty object as soon as the attribute is set; it would then be sniffed
+    to determine the image type and decoded as an image.</p>
 
    <p>A <code title="">javascript:</code> URI in an <code
     title=attr-a-href>href</code> attribute of an <code><a

Modified: source
===================================================================
--- source	2008-04-28 10:58:30 UTC (rev 1500)
+++ source	2008-04-28 21:45:23 UTC (rev 1501)
@@ -24860,8 +24860,7 @@
      <dt>If a script is a <span title="javascript protocol"><code
      title="">javascript:</code> URI</span> in a style sheet</dt>
 
-     <dd>The origin is the origin of the <code>Document</code> to which
-     the style sheet applies.</dd>
+     <dd>The origin is the origin of the URI of the style sheet.</dd>
 
 
      <dt>If a script is a <span title="javascript protocol"><code
@@ -25034,11 +25033,7 @@
   <em>different</em> <span>origin</span> than the script given by the
   URI, the dereference context must be an empty object.</p>
 
-  <p>Otherwise, the dereference context must the <span>browsing
-  context</span> of the <code>Document</code> to which belongs the
-  element for which the URI is being dereferenced, or to which the
-  style sheet for which the URI is being dereferenced applies,
-  whichever is appropriate.</p>
+  <p>Otherwise, the dereference context must be an empty object.</p>
 
   <p>URIs using the <code title="">javascript:</code> protocol should
   be evaluated when the resource for that URI is needed, unless
@@ -25065,9 +25060,9 @@
 
    <p>So for example a <code title="">javascript:</code> URI for a
    <code title="attr-img-src">src</code> attribute of an
-   <code>img</code> element would be evaluated in the context of the
-   page as soon as the attribute is set; it would then be sniffed to
-   determine the image type and decoded as an image.</p>
+   <code>img</code> element would be evaluated in the context of an
+   empty object as soon as the attribute is set; it would then be
+   sniffed to determine the image type and decoded as an image.</p>
 
    <p>A <code title="">javascript:</code> URI in an <code
    title="attr-a-href">href</code> attribute of an <code>a</code>




More information about the Commit-Watchers mailing list