On 6/22/11 11:51 AM, Hallvord R. M. Steen wrote:
Opera actually does a check earlier - there is an origin check if a script attempts to set location / location.href to a string that starts with javascript:.
That's fine, as long as there is _also_ a check right before the script runs.
(This model is of course safe if the javascript: URL executes immediately.
Indeed, which is not the case in many UAs and not the case in the spec last I checked... unless that's changed?
Well, I somewhat disagree with the "doesn't make much sense" claim here ;).
Throwing an exception from the async attempt to execute would do ... what exactly?
It made sense to me to inform either the setting script
Which isn't on the stack anymore by the time the exception is thrown?
or the script inside the javascript: URL itself
Which isn't getting run? -Boris
