[whatwg] Javascript: URLs as element attributes

Ian Hickson ian at hixie.ch
Mon Nov 15 17:15:45 PST 2010


On Wed, 11 Aug 2010, Cris Neckar wrote:
> 
> The HTML5 Spec is somewhat ambiguous on the handling of javascript: URLs 
> when supplied as attributes to different elements. It does not 
> specifically prohibit handling them in most cases but I was wondering if 
> this has been discussed and whether there is consensus on correct 
> behavior.

I don't understand what's ambiguous. As far as I can tell the spec covers 
all the cases you describe in detail.


On Wed, 11 Aug 2010, Boris Zbarsky wrote:
> 
> Gecko's currently-intended behavior is to do what section 6.1.5 
> describes in all cases except:
> 
>   <iframe src="javascript:">
>   <object data="javascript:">
>   <embed src="javascript:">
>   <applet code="javascript:">

What does it do for those cases if it doesn't match the spec?

I presume <script src="javascript:"> is also special; the HTML spec 
handles that one separately (it does nothing, for historical reasons).


> > Has there been discussion on this in the past? If not we should work 
> > towards defining which of these we want to allow and which we should 
> > block.
> 
> Agreed.
> 
> For what it's worth, as I see it there are three possible behaviors for 
> a javascript: URI (whether in an attribute value or elsewhere):
> 
> 1)  Don't run the script.
> 2)  Run the script, but in a sandbox.
> 3)  Run the script against some Window object (which one?)
> 
> Defining which of these happens in which case would be good.  Again, 
> Gecko's behavior is #2 by default (in all sorts of situations; basically 
> anywhere you can dereference a URI), with exceptions made to do #3 in 
> some cases.

That's what the spec says currently.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list