[whatwg] URL: javascript URLs

Ian Hickson ian at hixie.ch
Fri Sep 28 11:26:33 PDT 2012

On Fri, 28 Sep 2012, Boris Zbarsky wrote:
> If you're trying to define behavior for various cases of javascript:, 
> you should consider defining the following, to the extent that they're 
> not already defined:
> 1)  Whether the script executes (compare <img src> vs <iframe src>),
>     but note that some UAs _do_ run the script for <img src>, but in
>     a sandbox).

This is specced in HTML, though HTML doesn't match all the UAs; many UAs 
have more paranoid behaviour than I think is necessary.

> 2)  When the script evaluates (sync vs async, say).

That's specced.

> 3)  The global object the script evaluates against.

This is specced also.

> 4)  The origin and effective script origin of the script.

Definitely specced.

> 5)  What happens when this doesn't match the origin or effective script
>     origin or whatever of the global object the script is evaluating
>     against.

I think this is specced. Can you elaborate on what you mean?

> 6)  Interactions with sandboxed iframes and CSP.  What happens when
>     the parent page sets the location of a sandboxed iframe to a
>     javascript: URI, for example?  I would be slightly shocked if
>     there is UA interop here.

This is specced, though it might not be right. I haven't checked recently.

> 7)  Handling of the return value of the script.

I believe this is specced.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list