[whatwg] Javascript: URLs as element attributes

Boris Zbarsky bzbarsky at MIT.EDU
Mon Nov 15 18:50:34 PST 2010

On 11/15/10 8:15 PM, Ian Hickson wrote:
>> Gecko's currently-intended behavior is to do what section 6.1.5
>> describes in all cases except:
>>    <iframe src="javascript:">
>>    <object data="javascript:">
>>    <embed src="javascript:">
>>    <applet code="javascript:">
> What does it do for those cases if it doesn't match the spec?

Note that at this point the section in question is 7.1.5: 

For <iframe> the behavior in Gecko currently is different in terms of 
what the URI of the result document of javascript: is set to.

For the others, I believe we execute them in the script environment of 
the owner document of the object/embed/applet, whereas the spec requires 
them to execute in a sandbox, as far as I can tell.

Note that there is some confusion here in terms of browsing contexts and 
<object>, since <object> does expose a Document object sometimes (but 
not others) and does participate in session history sometimes, I 
believe...  So I'm not quite sure what behavior the spec calls for for 

> I presume<script src="javascript:">  is also special; the HTML spec
> handles that one separately (it does nothing, for historical reasons).

In Gecko currently it acts just like most cases of javascript:.  More on 
this below.

>> For what it's worth, as I see it there are three possible behaviors for
>> a javascript: URI (whether in an attribute value or elsewhere):
>> 1)  Don't run the script.
>> 2)  Run the script, but in a sandbox.
>> 3)  Run the script against some Window object (which one?)
>> Defining which of these happens in which case would be good.  Again,
>> Gecko's behavior is #2 by default (in all sorts of situations; basically
>> anywhere you can dereference a URI), with exceptions made to do #3 in
>> some cases.
> That's what the spec says currently.

That doesn't agree with your comments about <script src> above...

Fwiw, looking at the Gecko code more carefully, it seems that we default 
to #1 above unless we know where the URI came from, in which case we 
default to #2, unless a special flag is set at URI dereference time to 
select behavior #3.  That last flag is only set for 
frame/iframe/object/applet/embed at the moment.

Also at the moment in most cases we don't know where the URI came from 
(e.g. images don't know, nor do <script src>).  Those are considered 
bugs, not features; the target behavior is #2.  Stylesheet loads do know 
where the URI came from and have behavior #2, as does XHR.


More information about the whatwg mailing list