[whatwg] Javascript: URLs as element attributes
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Feb 9 19:52:54 PST 2011
On 2/9/11 10:12 PM, Ian Hickson wrote:
> On Mon, 15 Nov 2010, Boris Zbarsky wrote:
>> On 11/15/10 8:15 PM, Ian Hickson wrote:
>>>> Gecko's currently-intended behavior is to do what [the spec]
>>>> describes in all cases except:
>>>>
>>>> <iframe src="javascript:">
>>>> <object data="javascript:">
>>>> <embed src="javascript:">
>>>> <applet code="javascript:">
>>>
>>> What does it do for those cases if it doesn't match the spec?
>>
>> For<iframe> the behavior in Gecko currently is different in terms of
>> what the URI of the result document of javascript: is set to.
>
> How does it differ? As far as I can tell, it works the same as the spec
> says (the document.location is "about:blank" in the example above).
The example above doesn't actually return a document from the
javascript: URI; it was a shorthand for a generic javascript: URI that
does do that.
Try this:
data:text/html,<body onload="alert(window[0].location)"><iframe
src="javascript:''">
>> Note that there is some confusion here in terms of browsing contexts and
>> <object>, since<object> does expose a Document object sometimes (but not
>> others) and does participate in session history sometimes, I believe... So
>> I'm not quite sure what behavior the spec calls for for<object>.
>
> It's defined; see the section on the<onject> element.
I've read that section, in fact. I couldn't make sense of what behavior
it actually called for. Has it changed recently (last few months) to
become clearer such that rereading would be worthwhile?
>> At least in Gecko, the return value string is examined to see whether
>> all the charcode values are< 255. If they are, then the string is
>> converted to a byte array by just dropping the high byte of every char.
>> So you can pretty easily generate image data this way.
>>
>> If any of the bytes are> 255, then the string is encoded as UTF-8
>> instead.
>
> Hm. This currently isn't specced; the spec just assumes the return value
> is text/html string data and doesn't say what encoding to use. Is there a
> good way to test this in the context of an<iframe>, where all the
> browsers do something with javascript:?
<body onload="alert(window[0].document.characterSet)"><iframe
src="javascript:'\u0400'">
(can't be a data: URI in webkit, for what it's worth; seems to fail
same-origin checks).
If I load that from file://, italerts UTF-8 in Gecko, ISO-8859-1 in the
Webkit-based browsers I have here, empty string in Opera 11 (?).
You could also do things like generate a document that links to a
stylesheet with no encoding information and see what encoding the sheet
is treated as.
If the question was whether it's possible to tell by black-box testing
what the return string is actually treated as, not just what
characterSet the resulting document reports, I'd have to do some more
thinking.
-Boris
More information about the whatwg
mailing list