On Tue, 02 Oct 2007 18:53:58 +0200, Mark Baker <[EMAIL PROTECTED]> wrote:
Opera's behaviour sounds sensible. I'd throw on javascript: because
the embedded script could do arbitrary things, whereas the calling
script presumably expects open() to have predictable side effects.
I suppose that a data:text/javascript,... URI should also throw if it
the agent would otherwise execute the embedded script. But I see no
harm in permitting any other non-executable-content data: URIs to be
open()ed.
data:text/javascript would act the same as simply loading a JavaScript
file. There's no execution involved there so that's safe. I've allowed
data: URIs now:
http://dev.w3.org/2006/webapi/XMLHttpRequest/
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
