[whatwg] Javascript: URLs as element attributes
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Nov 15 18:50:34 PST 2010
On 11/15/10 8:15 PM, Ian Hickson wrote:
>> Gecko's currently-intended behavior is to do what section 6.1.5
>> describes in all cases except:
>>
>> <iframe src="javascript:">
>> <object data="javascript:">
>> <embed src="javascript:">
>> <applet code="javascript:">
>
> What does it do for those cases if it doesn't match the spec?
Note that at this point the section in question is 7.1.5:
http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#javascript-protocol
For <iframe> the behavior in Gecko currently is different in terms of
what the URI of the result document of javascript: is set to.
For the others, I believe we execute them in the script environment of
the owner document of the object/embed/applet, whereas the spec requires
them to execute in a sandbox, as far as I can tell.
Note that there is some confusion here in terms of browsing contexts and
<object>, since <object> does expose a Document object sometimes (but
not others) and does participate in session history sometimes, I
believe... So I'm not quite sure what behavior the spec calls for for
<object>.
> I presume<script src="javascript:"> is also special; the HTML spec
> handles that one separately (it does nothing, for historical reasons).
In Gecko currently it acts just like most cases of javascript:. More on
this below.
>> For what it's worth, as I see it there are three possible behaviors for
>> a javascript: URI (whether in an attribute value or elsewhere):
>>
>> 1) Don't run the script.
>> 2) Run the script, but in a sandbox.
>> 3) Run the script against some Window object (which one?)
>>
>> Defining which of these happens in which case would be good. Again,
>> Gecko's behavior is #2 by default (in all sorts of situations; basically
>> anywhere you can dereference a URI), with exceptions made to do #3 in
>> some cases.
>
> That's what the spec says currently.
That doesn't agree with your comments about <script src> above...
Fwiw, looking at the Gecko code more carefully, it seems that we default
to #1 above unless we know where the URI came from, in which case we
default to #2, unless a special flag is set at URI dereference time to
select behavior #3. That last flag is only set for
frame/iframe/object/applet/embed at the moment.
Also at the moment in most cases we don't know where the URI came from
(e.g. images don't know, nor do <script src>). Those are considered
bugs, not features; the target behavior is #2. Stylesheet loads do know
where the URI came from and have behavior #2, as does XHR.
-Boris
More information about the whatwg
mailing list