[html5] r2046 - [] (0) Require that <script src=javascript:...></script> result in no script exe [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Aug 11 03:14:05 PDT 2008 

Author: ianh
Date: 2008-08-11 03:14:05 -0700 (Mon, 11 Aug 2008)
New Revision: 2046

Modified:
   index
   source
Log:
[] (0) Require that <script src=javascript:...></script> result in no script execution, for any value of '...', for compatibility with most UAs.

Modified: index
===================================================================
--- index	2008-08-11 08:22:52 UTC (rev 2045)
+++ index	2008-08-11 10:14:05 UTC (rev 2046)
@@ -26331,6 +26331,14 @@
      href="#src9">src</a></code> attribute, then the specified resource must
      be <a href="#fetch" title=fetch>fetched</a>.</p>
 
+    <p>For historical reasons, if the <a href="#url">URL</a> is a <a
+     href="#the-javascript" title="javascript protocol"><code
+     title="">javascript:</code> URL</a>, then the user agent must not,
+     despite the requirements in the definition of the <a href="#fetch"
+     title=fetch>fetching</a> algorithm, actually execute the given script,
+     and instead the user agent must act as if it had received an empty HTTP
+     400 response.</p>
+
     <p>Once the fetching process has completed, and the script has <dfn
      id=completed>completed loading</dfn>, the user agent will have to
      complete <a href="#when-a" title="when a script completes loading">the

Modified: source
===================================================================
--- source	2008-08-11 08:22:52 UTC (rev 2045)
+++ source	2008-08-11 10:14:05 UTC (rev 2046)
@@ -23714,6 +23714,14 @@
     attribute, then the specified resource must be <span
     title="fetch">fetched</span>.</p>
 
+    <p>For historical reasons, if the <span>URL</span> is a <span
+    title="javascript protocol"><code title="">javascript:</code>
+    URL</span>, then the user agent must not, despite the requirements
+    in the definition of the <span title="fetch">fetching</span>
+    algorithm, actually execute the given script, and instead the user
+    agent must act as if it had received an empty HTTP 400
+    response.</p>
+
     <p>Once the fetching process has completed, and the script has
     <dfn>completed loading</dfn>, the user agent will have to complete
     <span title="when a script completes loading">the steps described

More information about the Commit-Watchers mailing list