[whatwg] Javascript: URLs as element attributes
Boris Zbarsky
bzbarsky at MIT.EDU
Thu Feb 10 06:29:17 PST 2011
On 2/10/11 4:36 AM, Adam Barth wrote:
> Apologies for not reading the whole thread before replying, but the
> design Darin describes below has worked well in WebKit thus far. I'd
> be hesitant to make JavaScript URLs work in more contexts due to the
> risk of introducing security vulnerabilities into the engine.
For what it's worth, Gecko treats javascript: URLs as a general
protocol, but with tracking of where the URL came from required for the
script to actually execute and explicit opt-in on the caller's part
required to execute outside a sandbox.
This too has worked well in terms of security, for what it's worth,
while offering a lot more flexibility in terms of how and where
javascript: URIs can work.
I don't think we should gate the spec here on Webkit's implementation
details if we think a certain behavior is correct but hard to support in
Webkit....
-Boris
More information about the whatwg
mailing list