Closed Bug 1203457 Opened 9 years ago Closed 9 years ago

Improve support coherency for the javascript: protocol inside ʜᴛᴍʟ

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ytrezq, Unassigned)

References

Details

Currently it is only supported  <frame>, <iframe>, <object>, and <a>. When support for new attribute is added, it's implementation is rejected because of the risk of XSS.

But it seems it is not like ꜱᴠɢ, currently a sanitizer designer should strip protocols if he/she have firefox user in mind especially if considering that the <a> element is core of internet.
So the current behaviour makes no sense as it is already allowed elsewhere.

Proposition I have in mind :
— Disable the javascript: protocol completely inside ʜᴛᴍʟ and ᴄꜱꜱ documents (it would remains available in the navbar)
— Enable it only for element requiring user interaction and for those elements, open the linked content in a new tab or window (which is presto opera did partially)
— Follow the ᴡ3ᴄ by enabling it everywhere a ᴜʀɪ scheme is supported.
Blocks: 1203282
coherency
Summary: Improve support consistency for the javascript: protocol inside ʜᴛᴍʟ → Improve support coherency for the javascript: protocol inside ʜᴛᴍʟ
The W3C spec only supports the javascript: protocol in a small handful of cases involving navigation.  Per that spec, it should only work in <a>, <frame>, and <iframe> (and notably not <object>; we just haven't gotten around to removing it there yet).
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
(In reply to Boris Zbarsky [:bz] from comment #2)
> The W3C spec only supports the javascript: protocol in a small handful of
> cases involving navigation.  Per that spec, it should only work in <a>,
> <frame>, and <iframe> (and notably not <object>; we just haven't gotten
> around to removing it there yet).

Where did you read this ? (I trust you that all user agents are getting wrong with this and that gecko is right)
Flags: needinfo?(bzbarsky)
> Where did you read this ? 

Which "this"?
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] from comment #4)
> Which "this"?
That restriction on w3c.org

(ok partially solved)

reading https://html.spec.whatwg.org/multipage/browsers.html#javascript-protocol it seems you forgot <area> <form> <base> <applet>
<base> does nothing with javascript:.  <applet> is not specced to do anything interesting with it either.

I did forget <area> and <form>, yes.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.