[whatwg] Javascript: URLs as element attributes

Adam Barth w3c at adambarth.com
Thu Feb 10 01:36:58 PST 2011

Apologies for not reading the whole thread before replying, but the
design Darin describes below has worked well in WebKit thus far.  I'd
be hesitant to make JavaScript URLs work in more contexts due to the
risk of introducing security vulnerabilities into the engine.


On Tue, Nov 30, 2010 at 11:37 AM, Darin Adler <darin at apple.com> wrote:
> In WebKit, we have treated the javascript URL scheme as a special case, with explicit code in the loader, and not handled by general purpose resource protocol machinery. Maciej Stachowiak suggested this approach, back in 2002, and one of the reasons he gave me at the time is that thought WebKit would be more likely to get the security policy right if code paths opted in to JavaScript execution rather than opting out of javascript URL scheme handling.
>    -- Darin

More information about the whatwg mailing list