-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should <object data=...>
support javascript:
URLs?
#10719
Comments
That's the type for writing HTML documents which isn't really relevant to user agents. The processing requirements for the elements are quite different. The So Chromium and WebKit are correct. Here's an improved test: |
cc @farre |
Which type? How is it not relevant to user agents?
What means navigating it directly? Isn't the latter happening in the example?
Is that backed up by the spec? It's not obvious.
|
See https://html.spec.whatwg.org/multipage/infrastructure.html#conformance-classes The text
...applies to documents.
If there already is a child browsing context for the
The algorithm at https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element:~:text=Whenever%20one%20of%20the%20following%20conditions%20occur: step 3.4 invokes fetch, then based on the response will either create a child navigable in step 9 or go to the image path or fallback path. A |
That applies to the iframe element's src attribute too 1. So it seems per spec, neither iframe's src attribute, nor object's data attribute may be used with
Correct. Footnotes |
A I suppose we could change the document conformance rules to disallow |
@sideshowbarker might have an opinion on conformance. |
What is the issue with the HTML Standard?
Browsers' behavior differs for it. E.g. for https://jsfiddle.net/6bv9xogk/, Chrome and WebKit treat
javascript:
URLs as no-ops, Firefox executes the script.The object element's data attribute is specified 1 as a "valid non-empty URL potentially surrounded by spaces" 2. The iframe element's src attribute 3 has the same type. All major browsers support
javascript:
URLs in iframes. So per spec, iframe elements and object elements should behave the same.I couldn't figure out yet whether 2 includes
javascript:
URLs.Footnotes
https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-object-data ↩
https://html.spec.whatwg.org/multipage/urls-and-fetching.html#valid-non-empty-url-potentially-surrounded-by-spaces ↩ ↩2
https://html.spec.whatwg.org/multipage/iframe-embed-object.html#dom-iframe-src ↩
The text was updated successfully, but these errors were encountered: