[whatwg] Javascript: URLs as element attributes
Philip Jägenstedt
philipj at opera.com
Wed Dec 1 00:16:54 PST 2010
On Tue, 30 Nov 2010 20:30:31 +0100, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 11/30/10 4:35 AM, Philip Jägenstedt wrote:
>> No, as far as I know, Opera hasn't ever sandboxed any inline javascript:
>> URL execution.
>
> So <img src="javascript:"> runs the JS in the page's context in Opera?
No, <img> was on the list of inlines where javascript: URL execution was
explicitly blocked. However, in the contexts where javascript: URLs did
execute, they did so in the containing document's context. (See my first
mail in this thread for both lists.)
>>> Also, note that <embed src="javascript:"> and <applet
>>> something="javascript:"> (can't recall the attr name right now) also
>>> execute the script in Firefox. Do they in Opera?
>>
>> Neither of these execute in Opera, both were explicitly blocked before I
>> started looking into the issue. Note that I can't get <applet
>> something="javascript:"> to execute in Firefox either, perhaps it needs
>> a special value for "something"
>
> Right; see the "can't recall" bit above. code="javascript:" maybe?
>
>> or the Java plugin must be installed?
>
> This might be needed too, yes.
Someone who manages to install a working Java plugin might want to test
this. It doesn't seem like it could be a compat issue to me.
>> It seems to me that after sandboxing, javascript: URLs will be quite
>> useless. You can only use them where the content is text
>
> That's not the case, actually. At least in Gecko, the return value
> string is examined to see whether all the charcode values are < 255. If
> they are, then the string is converted to a byte array by just dropping
> the high byte of every char. So you can pretty easily generate image
> data this way.
>
> If any of the bytes are > 255, then the string is encoded as UTF-8
> instead.
Do you do that just for inlines, or also when navigating to javascript:
URLs? If it's both, then that's something we'd need to standardize, unless
all browsers already do the same.
>> and the script has to be completely self-confined
>
> Indeed.
>
>> Using data: URLs will allow you to
>> generate the data in the outer environment, and it's possible to
>> generate binary data.
>
> Right. Now that data: support is universal, there may be a lot less
> need for javascript: returning data, except for compat reasons.
Indeed, so the question is just what the compat constraints are.
>> So far, it seems that the fastest way to reach compat between browsers
>> is to simply not run inline javascript: URLs.
>
> Except for frames/iframes, right?
Right, these aren't inlines, in Opera terminology at least. As far as I
can see the spec agrees on this, as frames/iframes have their own browsing
contexts.
--
Philip Jägenstedt
Core Developer
Opera Software
More information about the whatwg
mailing list