[whatwg] Javascript: URLs as element attributes
Simon Pieters
simonp at opera.com
Thu Dec 2 02:38:33 PST 2010
On Thu, 02 Dec 2010 09:32:43 +0100, Philip Jägenstedt <philipj at opera.com>
wrote:
>>> Right, these aren't inlines, in Opera terminology at least. As far as I
>>> can see the spec agrees on this, as frames/iframes have their own
>>> browsing contexts.
>>
>> So do <object>s, sometimes, right?
>
> Yes, but as far as I can tell from the algorithm [1], the browsing
> context isn't created until step 8, after the URL in data="" has been
> resolved and fetched. In other words, at the time the steps for handling
> javascript: [2] are run, there's no browsing context, and it will be
> treated as any other inline.
What if the steps are run because the data attribute changed?
<object data=data:,foo></object>
<script>
document.getElementsByTagName('object')[0].data = 'javascript:alert(1)';
</script>
> This is a good thing IMO, as it would be quite confusing if the context
> in which the script executed depended on the expected type of the
> <object> content.
>
> The spec change that I'm suggesting is to remove the case "If the
> Document object of the element, attribute, or style sheet from which the
> javascript: URL was reached has an associated browsing context", which
> would mean (among other things) that <object data="javscript:..."> would
> never execute. But again, let's wait a little bit longer and see if any
> compat issues arise.
>
> [1]
> http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element
> [2]
> http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#javascript-protocol
--
Simon Pieters
Opera Software
More information about the whatwg
mailing list