[whatwg] Javascript: URLs as element attributes

Ian Hickson ian at hixie.ch
Mon Nov 15 17:15:45 PST 2010

On Wed, 11 Aug 2010, Cris Neckar wrote:
> The HTML5 Spec is somewhat ambiguous on the handling of javascript: URLs 
> when supplied as attributes to different elements. It does not 
> specifically prohibit handling them in most cases but I was wondering if 
> this has been discussed and whether there is consensus on correct 
> behavior.

I don't understand what's ambiguous. As far as I can tell the spec covers 
all the cases you describe in detail.

On Wed, 11 Aug 2010, Boris Zbarsky wrote:
> Gecko's currently-intended behavior is to do what section 6.1.5 
> describes in all cases except:
>   <iframe src="javascript:">
>   <object data="javascript:">
>   <embed src="javascript:">
>   <applet code="javascript:">

What does it do for those cases if it doesn't match the spec?

I presume <script src="javascript:"> is also special; the HTML spec 
handles that one separately (it does nothing, for historical reasons).

> > Has there been discussion on this in the past? If not we should work 
> > towards defining which of these we want to allow and which we should 
> > block.
> Agreed.
> For what it's worth, as I see it there are three possible behaviors for 
> a javascript: URI (whether in an attribute value or elsewhere):
> 1)  Don't run the script.
> 2)  Run the script, but in a sandbox.
> 3)  Run the script against some Window object (which one?)
> Defining which of these happens in which case would be good.  Again, 
> Gecko's behavior is #2 by default (in all sorts of situations; basically 
> anywhere you can dereference a URI), with exceptions made to do #3 in 
> some cases.

That's what the spec says currently.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list