[whatwg] Javascript: URLs as element attributes
Ian Hickson
ian at hixie.ch
Mon Nov 15 17:15:45 PST 2010
On Wed, 11 Aug 2010, Cris Neckar wrote:
>
> The HTML5 Spec is somewhat ambiguous on the handling of javascript: URLs
> when supplied as attributes to different elements. It does not
> specifically prohibit handling them in most cases but I was wondering if
> this has been discussed and whether there is consensus on correct
> behavior.
I don't understand what's ambiguous. As far as I can tell the spec covers
all the cases you describe in detail.
On Wed, 11 Aug 2010, Boris Zbarsky wrote:
>
> Gecko's currently-intended behavior is to do what section 6.1.5
> describes in all cases except:
>
> <iframe src="javascript:">
> <object data="javascript:">
> <embed src="javascript:">
> <applet code="javascript:">
What does it do for those cases if it doesn't match the spec?
I presume <script src="javascript:"> is also special; the HTML spec
handles that one separately (it does nothing, for historical reasons).
> > Has there been discussion on this in the past? If not we should work
> > towards defining which of these we want to allow and which we should
> > block.
>
> Agreed.
>
> For what it's worth, as I see it there are three possible behaviors for
> a javascript: URI (whether in an attribute value or elsewhere):
>
> 1) Don't run the script.
> 2) Run the script, but in a sandbox.
> 3) Run the script against some Window object (which one?)
>
> Defining which of these happens in which case would be good. Again,
> Gecko's behavior is #2 by default (in all sorts of situations; basically
> anywhere you can dereference a URI), with exceptions made to do #3 in
> some cases.
That's what the spec says currently.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list