[whatwg] Javascript: URLs as element attributes

Adam Barth w3c at adambarth.com
Thu Feb 10 10:38:54 PST 2011


On Thu, Feb 10, 2011 at 6:29 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 2/10/11 4:36 AM, Adam Barth wrote:
>> Apologies for not reading the whole thread before replying, but the
>> design Darin describes below has worked well in WebKit thus far.  I'd
>> be hesitant to make JavaScript URLs work in more contexts due to the
>> risk of introducing security vulnerabilities into the engine.
>
> For what it's worth, Gecko treats javascript: URLs as a general protocol,
> but with tracking of where the URL came from required for the script to
> actually execute and explicit opt-in on the caller's part required to
> execute outside a sandbox.
>
> This too has worked well in terms of security, for what it's worth, while
> offering a lot more flexibility in terms of how and where javascript: URIs
> can work.
>
> I don't think we should gate the spec here on Webkit's implementation
> details if we think a certain behavior is correct but hard to support in
> Webkit....

The connection is that these features are unlikely to get implemented
in WebKit anytime soon.  To the extent that we want the spec to
reflect interoperable behavior across browsers, speccing things that
aren't (and aren't likely to become) interoperable is a net loss.

Adam



More information about the whatwg mailing list