[whatwg] comment on a part of the script execution spec, regarding not fully active documents

Boris Zbarsky bzbarsky at MIT.EDU
Wed Jun 22 10:34:21 PDT 2011


On 6/22/11 11:51 AM, Hallvord R. M. Steen wrote:
> Opera actually does a check earlier - there is an origin check if a
> script attempts to set location / location.href to a string that starts
> with javascript:.

That's fine, as long as there is _also_ a check right before the script 
runs.

> (This model is of course safe if the javascript: URL
> executes immediately.

Indeed, which is not the case in many UAs and not the case in the spec 
last I checked... unless that's changed?

> Well, I somewhat disagree with the "doesn't make much sense" claim here
> ;).

Throwing an exception from the async attempt to execute would do ... 
what exactly?

> It made sense to me to inform either the setting script

Which isn't on the stack anymore by the time the exception is thrown?

> or the script inside the javascript: URL itself

Which isn't getting run?

-Boris



More information about the whatwg mailing list