On Wed, Aug 11, 2010 at 7:58 PM, Cris Neckar <c...@chromium.org> wrote: > Browsers currently deal with these in a fairly ad-hoc way. I used the > following to test a few examples in various browsers. > > <embed src="javascript:alert('embed-src');"></embed> > <embed src="http://none" > pluginurl="javascript:alert('embed-pluginurl');"></embed> > <object classid="javascript:alert('object-classid');"></object> > <object archive="javascript:alert('object-archive');"></object> > <object data="javascript:alert('object-data');"></object> > <img src="javascript:alert('img-src');"> > <script src="javascript:alert('script-src');"></script> > <applet code="javascript:alert('applet-code');"></applet> > <applet code="http://none" > archive="javascript:alert('applet-archive');"></applet> > <applet code="http://none" > codebase="javascript:alert('applet-codebase');"></applet> > <link rel="stylesheet" type="text/css" > href="javascript:alert('link-href');" />
Just curious, why do we want to allow alert/confirm/prompt in URLs for embed, object, applet etc? I see some times problem in Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=616838 And I dont see any use case for that. Cheers Biju