[whatwg] Javascript: URLs as element attributes

Simon Pieters simonp at opera.com
Thu Dec 2 02:38:33 PST 2010

On Thu, 02 Dec 2010 09:32:43 +0100, Philip Jägenstedt <philipj at opera.com>  

>>> Right, these aren't inlines, in Opera terminology at least. As far as I
>>> can see the spec agrees on this, as frames/iframes have their own
>>> browsing contexts.
>> So do <object>s, sometimes, right?
> Yes, but as far as I can tell from the algorithm [1], the browsing  
> context isn't created until step 8, after the URL in data="" has been  
> resolved and fetched. In other words, at the time the steps for handling  
> javascript: [2] are run, there's no browsing context, and it will be  
> treated as any other inline.

What if the steps are run because the data attribute changed?

<object data=data:,foo></object>
document.getElementsByTagName('object')[0].data = 'javascript:alert(1)';

> This is a good thing IMO, as it would be quite confusing if the context  
> in which the script executed depended on the expected type of the  
> <object> content.
> The spec change that I'm suggesting is to remove the case "If the  
> Document object of the element, attribute, or style sheet from which the  
> javascript: URL was reached has an associated browsing context", which  
> would mean (among other things) that <object data="javscript:..."> would  
> never execute. But again, let's wait a little bit longer and see if any  
> compat issues arise.
> [1]  
> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element
> [2]  
> http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#javascript-protocol

Simon Pieters
Opera Software

More information about the whatwg mailing list