On Tue, 25 Sep 2007 14:52:17 +0200, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
It would be nice to get some implementation feedback on what to do about
data:, javascript: etc.
Determining the origin of data:, javascript: URIs when they are
responsible for making the request is defined by HTML5, but it's not
really clear to me what should happen when somebody does:
1. client.open("data:...")
2. client.open("javascript:...")
should that always work or always throw? Testing shows that browsers throw
(Firefox, Internet Explorer, Opera), except that Opera allows access to
data:. The simplest thing to do would be to disallow everything that does
not have any of the scheme, ihost or port components, but I'm open to
other suggestions.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>