[whatwg] Fallback behavior

Jonas Sicking jonas at sicking.cc
Thu Aug 21 17:31:43 PDT 2008


Simon Pieters wrote:
> On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
> 
>> Here is the list of elements that we *don't* execute scripts inside of 
>> in firefox:
>>
>> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148 
>>
>>
>> i.e. <iframe>, <noframes>, <noembed>
>>
>> Everywhere else we do execute the script.
>>
>> The reason these elements ended up at the list is in bugs
>> https://bugzilla.mozilla.org/show_bug.cgi?id=5847
>> https://bugzilla.mozilla.org/show_bug.cgi?id=26669
> 
> iframe, noframes and noembed are parsed as CDATA elements
> 
>    
> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E 
> 
> 
> so there can't be any script elements as children of those in text/html. 
> In Opera and WebKit, the script executes in
> 
>    data:text/xml,<iframe 
> xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe>
> 
> and it hasn't caused us any problems AFAIK.

Looks like firefox doesn't parse the contents of the <iframe> as markup 
either, but rather treat it as CDATA. Which makes me wonder why we ever 
look for <iframe>s in the parent chain :)

I suspect it's just remnants from when things worked differently, the 
check was put in in 1999 :)

But the effect is that even in XHTML, like the example you're providing 
above, scripts in iframes don't execute. This was not intentional though 
given that this code was put in in 1999, before we had xhtml support.

/ Jonas



More information about the whatwg mailing list