[whatwg] Javascript: URLs as element attributes

Philip Jägenstedt philipj at opera.com
Thu Dec 2 04:20:27 PST 2010


On Thu, 02 Dec 2010 11:38:33 +0100, Simon Pieters <simonp at opera.com> wrote:

> On Thu, 02 Dec 2010 09:32:43 +0100, Philip Jägenstedt  
> <philipj at opera.com> wrote:
>
>>>> Right, these aren't inlines, in Opera terminology at least. As far as  
>>>> I
>>>> can see the spec agrees on this, as frames/iframes have their own
>>>> browsing contexts.
>>>
>>> So do <object>s, sometimes, right?
>>
>> Yes, but as far as I can tell from the algorithm [1], the browsing  
>> context isn't created until step 8, after the URL in data="" has been  
>> resolved and fetched. In other words, at the time the steps for  
>> handling javascript: [2] are run, there's no browsing context, and it  
>> will be treated as any other inline.
>
> What if the steps are run because the data attribute changed?
>
> <object data=data:,foo></object>
> <script>
> document.getElementsByTagName('object')[0].data = 'javascript:alert(1)';
> </script>

The relevant step would be step 4: "Fetch the resulting absolute URL, from  
the element's browsing context scope origin if it has one."

So, at this point, there would already be a browsing context, I believe.  
If the only reason this is in the spec is so that javascript: URLs will  
execute in the <object> browsing context, then I suggest that this simply  
be changed so that data="javascript:..." never execute, regardless of  
how/when the attribute was set. Unless there are compat constraints here,  
this seems simpler and more predictable, and I would guess that this is  
what most browsers already do.

Some testing may be in order, though.

-- 
Philip Jägenstedt
Core Developer
Opera Software



More information about the whatwg mailing list