369244 - [FIX]Create an API to control javascript: execution on a per-channel basis

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Boris Zbarsky [:bzbarsky]]

Attachment: Proposed patch

We shouldn't just use the origin principal to make this decision as we do now.

What the attached patch does is to introduce a new interface to control the execution of programs represented as URIs (at the moment, just javascript:).

Hopefully the API comments are clear enough that I don't need to explain the setup.  If they're not, I should fix that.  ;)

At the moment, with this patch, the only time we will execute javascript: URIs is when they're loaded in a docshell (both because that's the only place where they'll have an owner and because that's the only place where we change the policy from NO_EXECUTION).  With this patch, we'll basically be compatible with IE7.

Then, as we propagate our trust labels through the code, we can decide on a case-by-case basis where to change the policy from NO_EXECUTION to something else.

Comment 1

[Boris Zbarsky [:bzbarsky]]

This needs tests, by the way...  Ideally we'd get the tests from previous javascript: bugs checked in... ;)

Comment 2

[Johnny Stenback (:jst)]

Comment on attachment 253927 [details] [diff] [review]
Proposed patch

r=jst

Comment 3

[Brendan Eich [:brendan]]

Comment on attachment 253927 [details] [diff] [review]
Proposed patch

Looks good, sr=me.

/be

Comment 4

[Boris Zbarsky [:bzbarsky]]

Fixed, but I still need to write those tests.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Attachment: Build bustage fix