[whatwg] comment on a part of the script execution spec, regarding not fully active documents
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Jun 22 10:34:21 PDT 2011
On 6/22/11 11:51 AM, Hallvord R. M. Steen wrote:
> Opera actually does a check earlier - there is an origin check if a
> script attempts to set location / location.href to a string that starts
> with javascript:.
That's fine, as long as there is _also_ a check right before the script
runs.
> (This model is of course safe if the javascript: URL
> executes immediately.
Indeed, which is not the case in many UAs and not the case in the spec
last I checked... unless that's changed?
> Well, I somewhat disagree with the "doesn't make much sense" claim here
> ;).
Throwing an exception from the async attempt to execute would do ...
what exactly?
> It made sense to me to inform either the setting script
Which isn't on the stack anymore by the time the exception is thrown?
> or the script inside the javascript: URL itself
Which isn't getting run?
-Boris
More information about the whatwg
mailing list