Closed
Bug 1203457
Opened 9 years ago
Closed 9 years ago
Improve support coherency for the javascript: protocol inside ʜᴛᴍʟ
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
INVALID
People
(Reporter: ytrezq, Unassigned)
References
Details
Currently it is only supported <frame>, <iframe>, <object>, and <a>. When support for new attribute is added, it's implementation is rejected because of the risk of XSS. But it seems it is not like ꜱᴠɢ, currently a sanitizer designer should strip protocols if he/she have firefox user in mind especially if considering that the <a> element is core of internet. So the current behaviour makes no sense as it is already allowed elsewhere. Proposition I have in mind : — Disable the javascript: protocol completely inside ʜᴛᴍʟ and ᴄꜱꜱ documents (it would remains available in the navbar) — Enable it only for element requiring user interaction and for those elements, open the linked content in a new tab or window (which is presto opera did partially) — Follow the ᴡ3ᴄ by enabling it everywhere a ᴜʀɪ scheme is supported.
coherency
Summary: Improve support consistency for the javascript: protocol inside ʜᴛᴍʟ → Improve support coherency for the javascript: protocol inside ʜᴛᴍʟ
Comment 2•9 years ago
|
||
The W3C spec only supports the javascript: protocol in a small handful of cases involving navigation. Per that spec, it should only work in <a>, <frame>, and <iframe> (and notably not <object>; we just haven't gotten around to removing it there yet).
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
(In reply to Boris Zbarsky [:bz] from comment #2) > The W3C spec only supports the javascript: protocol in a small handful of > cases involving navigation. Per that spec, it should only work in <a>, > <frame>, and <iframe> (and notably not <object>; we just haven't gotten > around to removing it there yet). Where did you read this ? (I trust you that all user agents are getting wrong with this and that gecko is right)
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] from comment #4) > Which "this"? That restriction on w3c.org (ok partially solved) reading https://html.spec.whatwg.org/multipage/browsers.html#javascript-protocol it seems you forgot <area> <form> <base> <applet>
Comment 6•9 years ago
|
||
<base> does nothing with javascript:. <applet> is not specced to do anything interesting with it either. I did forget <area> and <form>, yes.
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•