[whatwg] Javascript: URLs as element attributes

Boris Zbarsky bzbarsky at MIT.EDU
Thu Feb 10 06:29:17 PST 2011

On 2/10/11 4:36 AM, Adam Barth wrote:
> Apologies for not reading the whole thread before replying, but the
> design Darin describes below has worked well in WebKit thus far.  I'd
> be hesitant to make JavaScript URLs work in more contexts due to the
> risk of introducing security vulnerabilities into the engine.

For what it's worth, Gecko treats javascript: URLs as a general 
protocol, but with tracking of where the URL came from required for the 
script to actually execute and explicit opt-in on the caller's part 
required to execute outside a sandbox.

This too has worked well in terms of security, for what it's worth, 
while offering a lot more flexibility in terms of how and where 
javascript: URIs can work.

I don't think we should gate the spec here on Webkit's implementation 
details if we think a certain behavior is correct but hard to support in 


More information about the whatwg mailing list