[whatwg] Javascript: URLs as element attributes
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Nov 29 07:36:32 PST 2010
On 11/25/10 9:10 AM, Philip Jägenstedt wrote:
> Based on this, unless there are corner-cases I've missed, it seems
> unlikely that there's a large body of web content that depends on inline
> javascript: URLs executing. My current plan is to try completely
> blocking javascript: URLs in the contexts mentioned above. This seems to
> be the simplest to implement and the fastest way to reach
> interoperability. The alternative is to start executing javascript: URLs
> in more contexts, which, even if sandboxed, doesn't seem particularly
> useful.
Does Opera sandbox <object data="javascript:">? Note that Firefox does not.
Also, note that <embed src="javascript:"> and <applet
something="javascript:"> (can't recall the attr name right now) also
execute the script in Firefox. Do they in Opera?
> I'll keep you posted if there are any compatibility issues that come up
> with this. Assuming (boldly) there is not, would there be support from
> other browsers to move in this direction and change the spec to match?
> (It seems that IE and WebKit are already basically already doing what
> I'm advocating.)
The reason Firefox runs javascript: in <object> is
<https://bugzilla.mozilla.org/show_bug.cgi?id=300263>. I could probably
be convinced to either run it in a sandbox or not run altogether, though
I would strongly prefer the sandbox approach....
-Boris
More information about the whatwg
mailing list