On 11/25/10 9:10 AM, Philip Jägenstedt wrote:
Based on this, unless there are corner-cases I've missed, it seems
unlikely that there's a large body of web content that depends on inline
javascript: URLs executing. My current plan is to try completely
blocking javascript: URLs in the contexts mentioned above. This seems to
be the simplest to implement and the fastest way to reach
interoperability. The alternative is to start executing javascript: URLs
in more contexts, which, even if sandboxed, doesn't seem particularly
useful.
Does Opera sandbox <object data="javascript:">? Note that Firefox does not.
Also, note that <embed src="javascript:"> and <applet
something="javascript:"> (can't recall the attr name right now) also
execute the script in Firefox. Do they in Opera?
I'll keep you posted if there are any compatibility issues that come up
with this. Assuming (boldly) there is not, would there be support from
other browsers to move in this direction and change the spec to match?
(It seems that IE and WebKit are already basically already doing what
I'm advocating.)
The reason Firefox runs javascript: in <object> is
<https://bugzilla.mozilla.org/show_bug.cgi?id=300263>. I could probably
be convinced to either run it in a sandbox or not run altogether, though
I would strongly prefer the sandbox approach....
-Boris
