[whatwg] <base> elements, again
Adam Barth
w3c at adambarth.com
Mon Jan 24 16:02:03 PST 2011
On Mon, Jan 24, 2011 at 6:06 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> In https://bugzilla.mozilla.org/show_bug.cgi?id=627361 we have a page which
> has a subframe. The subframe has this HTML:
>
> <a href="javascript:do_default(0)">1261192</a>
>
> and near the end of the page has a <base target="_top">.
>
> In current Gecko builds, this fails, because we now allow <base> anywhere in
> the document per http://html5.org/tools/web-apps-tracker?from=5710&to=5711
> and hence the javascript: URI is run against the toplevel window, not the
> subframe's window, and there is no do_default function defined in the
> toplevel window.
>
> This presumably used to work in Gecko before we started trying to implement
> HTML5 <base> stuff because for <base> outside <head> we only applied it to
> <a> elements that came after the <base> when parsing.
>
> Why did/does this markup work in other UAs? Or does it not? Does the spec
> need changes here? As it stands, it's breaking existing markup.
In general, WebKit doesn't understand how to target JavaScript URLs at
other frames. The basic limitation here is similar to why data URLs
in WebKit don't inherit the security origin of their creator. I'd
like to change WebKit to match Gecko on both scores, but it's going to
require some delicate surgery.
Adam
> Note that we made the change to allow <base> anywhere about 10 days ago, and
> got this bug report within 6 days of making this change. So I have to
> assume that this is not an isolated incident, and that there are other pages
> like this out there. Especially because the broken page in this case is
> some sort of enterprise web app thing (Unicenter) which I assume is
> installed in more than one place.
>
> -Boris
>
More information about the whatwg
mailing list