[whatwg] Javascript: URLs as element attributes

Boris Zbarsky bzbarsky at MIT.EDU
Mon Nov 29 07:36:32 PST 2010

On 11/25/10 9:10 AM, Philip Jägenstedt wrote:
> Based on this, unless there are corner-cases I've missed, it seems
> unlikely that there's a large body of web content that depends on inline
> javascript: URLs executing. My current plan is to try completely
> blocking javascript: URLs in the contexts mentioned above. This seems to
> be the simplest to implement and the fastest way to reach
> interoperability. The alternative is to start executing javascript: URLs
> in more contexts, which, even if sandboxed, doesn't seem particularly
> useful.

Does Opera sandbox <object data="javascript:">?  Note that Firefox does not.

Also, note that <embed src="javascript:"> and <applet 
something="javascript:"> (can't recall the attr name right now) also 
execute the script in Firefox.  Do they in Opera?

> I'll keep you posted if there are any compatibility issues that come up
> with this. Assuming (boldly) there is not, would there be support from
> other browsers to move in this direction and change the spec to match?
> (It seems that IE and WebKit are already basically already doing what
> I'm advocating.)

The reason Firefox runs javascript: in <object> is 
<https://bugzilla.mozilla.org/show_bug.cgi?id=300263>.  I could probably 
be convinced to either run it in a sandbox or not run altogether, though 
I would strongly prefer the sandbox approach....


More information about the whatwg mailing list