Improve support coherency for the javascript: protocol inside ʜᴛᴍʟ

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: ytrezq, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
Currently it is only supported  <frame>, <iframe>, <object>, and <a>. When support for new attribute is added, it's implementation is rejected because of the risk of XSS.

But it seems it is not like ꜱᴠɢ, currently a sanitizer designer should strip protocols if he/she have firefox user in mind especially if considering that the <a> element is core of internet.
So the current behaviour makes no sense as it is already allowed elsewhere.

Proposition I have in mind :
— Disable the javascript: protocol completely inside ʜᴛᴍʟ and ᴄꜱꜱ documents (it would remains available in the navbar)
— Enable it only for element requiring user interaction and for those elements, open the linked content in a new tab or window (which is presto opera did partially)
— Follow the ᴡ3ᴄ by enabling it everywhere a ᴜʀɪ scheme is supported.
(Reporter)

Updated

3 years ago
Blocks: 1203282
(Reporter)

Comment 1

3 years ago
coherency
Summary: Improve support consistency for the javascript: protocol inside ʜᴛᴍʟ → Improve support coherency for the javascript: protocol inside ʜᴛᴍʟ
The W3C spec only supports the javascript: protocol in a small handful of cases involving navigation.  Per that spec, it should only work in <a>, <frame>, and <iframe> (and notably not <object>; we just haven't gotten around to removing it there yet).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
(Reporter)

Comment 3

3 years ago
(In reply to Boris Zbarsky [:bz] from comment #2)
> The W3C spec only supports the javascript: protocol in a small handful of
> cases involving navigation.  Per that spec, it should only work in <a>,
> <frame>, and <iframe> (and notably not <object>; we just haven't gotten
> around to removing it there yet).

Where did you read this ? (I trust you that all user agents are getting wrong with this and that gecko is right)
Flags: needinfo?(bzbarsky)
> Where did you read this ? 

Which "this"?
Flags: needinfo?(bzbarsky)
(Reporter)

Comment 5

3 years ago
(In reply to Boris Zbarsky [:bz] from comment #4)
> Which "this"?
That restriction on w3c.org

(ok partially solved)

reading https://html.spec.whatwg.org/multipage/browsers.html#javascript-protocol it seems you forgot <area> <form> <base> <applet>
<base> does nothing with javascript:.  <applet> is not specced to do anything interesting with it either.

I did forget <area> and <form>, yes.
You need to log in before you can comment on or make changes to this bug.