On Tue, 30 Nov 2010 20:30:31 +0100, Boris Zbarsky <bzbar...@mit.edu> wrote:
On 11/30/10 4:35 AM, Philip Jägenstedt wrote:
No, as far as I know, Opera hasn't ever sandboxed any inline javascript:
URL execution.
So <img src="javascript:"> runs the JS in the page's context in Opera?
No, <img> was on the list of inlines where javascript: URL execution was
explicitly blocked. However, in the contexts where javascript: URLs did
execute, they did so in the containing document's context. (See my first
mail in this thread for both lists.)
Also, note that <embed src="javascript:"> and <applet
something="javascript:"> (can't recall the attr name right now) also
execute the script in Firefox. Do they in Opera?
Neither of these execute in Opera, both were explicitly blocked before I
started looking into the issue. Note that I can't get <applet
something="javascript:"> to execute in Firefox either, perhaps it needs
a special value for "something"
Right; see the "can't recall" bit above. code="javascript:" maybe?
or the Java plugin must be installed?
This might be needed too, yes.
Someone who manages to install a working Java plugin might want to test
this. It doesn't seem like it could be a compat issue to me.
It seems to me that after sandboxing, javascript: URLs will be quite
useless. You can only use them where the content is text
That's not the case, actually. At least in Gecko, the return value
string is examined to see whether all the charcode values are < 255. If
they are, then the string is converted to a byte array by just dropping
the high byte of every char. So you can pretty easily generate image
data this way.
If any of the bytes are > 255, then the string is encoded as UTF-8
instead.
Do you do that just for inlines, or also when navigating to javascript:
URLs? If it's both, then that's something we'd need to standardize, unless
all browsers already do the same.
and the script has to be completely self-confined
Indeed.
Using data: URLs will allow you to
generate the data in the outer environment, and it's possible to
generate binary data.
Right. Now that data: support is universal, there may be a lot less
need for javascript: returning data, except for compat reasons.
Indeed, so the question is just what the compat constraints are.
So far, it seems that the fastest way to reach compat between browsers
is to simply not run inline javascript: URLs.
Except for frames/iframes, right?
Right, these aren't inlines, in Opera terminology at least. As far as I
can see the spec agrees on this, as frames/iframes have their own browsing
contexts.
--
Philip Jägenstedt
Core Developer
Opera Software
