[whatwg] URL: javascript URLs
Ian Hickson
ian at hixie.ch
Fri Sep 28 11:26:33 PDT 2012
On Fri, 28 Sep 2012, Boris Zbarsky wrote:
>
> If you're trying to define behavior for various cases of javascript:,
> you should consider defining the following, to the extent that they're
> not already defined:
>
> 1) Whether the script executes (compare <img src> vs <iframe src>),
> but note that some UAs _do_ run the script for <img src>, but in
> a sandbox).
This is specced in HTML, though HTML doesn't match all the UAs; many UAs
have more paranoid behaviour than I think is necessary.
> 2) When the script evaluates (sync vs async, say).
That's specced.
> 3) The global object the script evaluates against.
This is specced also.
> 4) The origin and effective script origin of the script.
Definitely specced.
> 5) What happens when this doesn't match the origin or effective script
> origin or whatever of the global object the script is evaluating
> against.
I think this is specced. Can you elaborate on what you mean?
> 6) Interactions with sandboxed iframes and CSP. What happens when
> the parent page sets the location of a sandboxed iframe to a
> javascript: URI, for example? I would be slightly shocked if
> there is UA interop here.
This is specced, though it might not be right. I haven't checked recently.
> 7) Handling of the return value of the script.
I believe this is specced.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list