ian at hixie.ch
Mon Nov 15 17:15:45 PST 2010
On Wed, 11 Aug 2010, Cris Neckar wrote:
> when supplied as attributes to different elements. It does not
> specifically prohibit handling them in most cases but I was wondering if
> this has been discussed and whether there is consensus on correct
I don't understand what's ambiguous. As far as I can tell the spec covers
all the cases you describe in detail.
On Wed, 11 Aug 2010, Boris Zbarsky wrote:
> Gecko's currently-intended behavior is to do what section 6.1.5
> describes in all cases except:
What does it do for those cases if it doesn't match the spec?
handles that one separately (it does nothing, for historical reasons).
> > Has there been discussion on this in the past? If not we should work
> > towards defining which of these we want to allow and which we should
> > block.
> For what it's worth, as I see it there are three possible behaviors for
> 1) Don't run the script.
> 2) Run the script, but in a sandbox.
> 3) Run the script against some Window object (which one?)
> Defining which of these happens in which case would be good. Again,
> Gecko's behavior is #2 by default (in all sorts of situations; basically
> anywhere you can dereference a URI), with exceptions made to do #3 in
> some cases.
That's what the spec says currently.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg