Skip to content

Commit

Permalink
Editorial: factor out and clean up javascript: URL processing
Browse files Browse the repository at this point in the history 
This attempts to make the navigation algorithm slightly more
comprehensible by factoring out the conversion of javascript: URL
requests into responses into a dedicated algorithm, instead of having it
occupy about half of the main "navigate" algorithm. The factored-out
algorithm is also slightly modernized and cleaned up in various ways.
  • Loading branch information
@domenic
domenic authored Feb 27, 2019
1 parent 38cac77 commit e13762f
Showing 1 changed file with 119 additions and 118 deletions.
237 changes: 119 additions & 118 deletions source
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82302,134 +82302,36 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
<dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
<dd><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
<var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>, and then return.</p></dd>
<var>browsingContext</var>.</p></dd>

<dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
is "<code data-x="javascript protocol">javascript</code>"</dt>

<dd>
<p><span>Queue a task</span>, on the <span>DOM manipulation task source</span> and associated
with the <span>active document</span> of <var>browsingContext</var>, to run these steps:</p>

<!-- https://www.hixie.ch/tests/adhoc/html/navigation/javascript-url/ -->

<p><span>Queue a task</span> to run <dfn data-x="javascript protocol">these
"<code>javascript:</code> URL" steps</dfn>, associated with the <span>active document</span>
of <var>browsingContext</var>:</p>

<ol id="concept-js-deref">

<li>
<p>Let <var>result</var> be undefined, and jump to the step labeled <i>process result</i>
below if either of the following are true:</p>

<ul>
<li>
<p>The <span>source browsing context</span>'s <span>active document</span>'s
<span>origin</span> is not the <span>same origin</span> as <var>browsingContext</var>'s
<span>active document</span>'s <span>origin</span>.</p>

<p class="&#x0058;&#x0058;&#x0058;">As explained in <a
href="https://github.com/whatwg/html/issues/2591">issue #2591</a> this step does not work
and presents a security issue.</p>
</li>

<li><p>The <span>Should navigation request of type from source in target be blocked by
Content Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when
executed upon <var>resource</var>, "<code data-x="">other</code>", the <span>source
browsing context</span>, and <var>browsingContext</var>. <ref spec="CSP"></p></li>
</ul>
</li>

<li><p>Let <var>urlString</var> be the result of running the <span
data-x="concept-url-serializer">URL serializer</span> on <var>resource</var>'s <span
data-x="concept-request-url">url</span>.</p></li>

<li><p>Remove the leading "<code data-x="">javascript:</code>" string from
<var>urlString</var>.</p></li>

<li><p>Let <var>script source</var> be the result of <span data-x="string percent
decode">string percent decoding</span> <var>urlString</var>.</p></li>

<li><p>Replace <var>script source</var> with the result of applying the <span>UTF-8
decode</span> algorithm to <var>script source</var>.</p></li>

<!-- <body onload="&#xFFFE;w('test')"> and javascript:%EF%BB%BF'test' both work, so we assume
that JavaScript is stripping the BOM, and we don't have to -->

<!--
https://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2639 -> about:blank
https://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2640 -> javascript:'test' in Firefox, about:blank otherwise
-->

<li><p>Let <var>address</var> be the <span data-x="concept-document-url">URL</span> of the
<span>active document</span> of <var>browsingContext</var>.</p></li>

<li><p>Append <var>address</var> to <var>resource</var>'s <span
data-x="concept-request-url-list">URL list</span>.</p></li>

<li><p>Let <var>settings</var> be the <span>relevant settings object</span> for the
<span>active document</span> of <var>browsingContext</var>.</p></li>

<li><p>Let <var>base URL</var> be <var>settings object</var>'s <span>API base
URL</span>.</p></li>

<li><p>Let <var>script</var> be the result of <span>creating a classic script</span> given
<var>script source</var>, <var>settings</var>, <var>base URL</var>, and the <span>default
classic script fetch options</span>.</p></li>

<li><p>Let <var>evaluationStatus</var> be the result of <span data-x="run a classic
script">running the classic script</span> <var>script</var>.</p></li>

<li><p>Let <var>result</var> be undefined if <var>evaluationStatus</var> is an
<span>abrupt completion</span> or <var>evaluationStatus</var>.[[Value]] is
empty, or <var>evaluationStatus</var>.[[Value]] otherwise.</p></li>

<li><p>Let <var>response</var> be null.</p></li>

<li>

<p><i>Process result</i>: If <span data-x="js-Type">Type</span>(<var>result</var>) is not
String, then set <var>response</var> to a <span
data-x="concept-response">response</span> whose <span
data-x="concept-response-status">status</span> is <code data-x="">204</code>.</p>

<p>Otherwise, set <var>response</var> a <span data-x="concept-response">response</span>
whose <span data-x="concept-response-header-list">header list</span> consists of `<code
data-x="">Content-Type</code>`/`<code>text/html</code>` and `<code
data-x="http-referrer-policy">Referrer-Policy</code>`/<var>settings</var>'s <span>referrer
policy</span>, whose <span data-x="concept-response-body">body</span> is <var>result</var>,
and whose <span data-x="concept-response-https-state">HTTPS state</span> is
<var>settings</var>'s <span>HTTPS state</span>.</p>

<p class="warning">The exact conversion between the JavaScript string <var>result</var> and
the bytes that comprise a <span data-x="concept-response-body">response body</span> is
not yet specified, pending further investigation into user agent behavior. See <a
href="https://github.com/whatwg/html/issues/1129">issue #1129</a>.</p>
</li>
<ol>
<li><p>Let <var>response</var> be the result of <span data-x="javascript protocol">executing
a <code>javascript:</code> URL request</span> given <var>resource</var>, the <span>source
browsing context</span>, and <var>browsingContext</var>.</p></li>

<li><p>Run <span>process a navigate response</span> with <var>resource</var>,
<var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>, and then return.</p></li>
<var>browsingContext</var>.</p></li>
</ol>

<p>The <span>task source</span> for this <span data-x="concept-task">task</span> is the
<span>DOM manipulation task source</span>.</p>

<div class="example">

<p>So for example a <span data-x="javascript protocol"><code>javascript:</code> URL</span> in
an <code data-x="attr-hyperlink-href">href</code> attribute of an <code>a</code> element
would only be evaluated when the link was <span data-x="following
hyperlinks">followed</span>, while such a URL in the <code
data-x="attr-iframe-src">src</code> attribute of an <code>iframe</code> element would be
evaluated in the context of the <code>iframe</code>'s own <span>nested browsing
context</span> when the <code>iframe</code> is being set up; once evaluated, its return value
(if it was a string) would replace that <span>browsing context</span>'s
<code>Document</code>, thus also changing the <code>Window</code> object of that
<span>browsing context</span>.</p>

</div>

<p class="example">So for example a <span data-x="javascript
protocol"><code>javascript:</code> URL</span> in an <code
data-x="attr-hyperlink-href">href</code> attribute of an <code>a</code> element would only be
evaluated when the link was <span data-x="following hyperlinks">followed</span>, while such a
URL in the <code data-x="attr-iframe-src">src</code> attribute of an <code>iframe</code>
element would be evaluated in the context of the <code>iframe</code>'s own <span>nested
browsing context</span> when the <code>iframe</code> is being set up. Once evaluated, its
return value (if it was a string) would replace that <span>browsing context</span>'s
<code>Document</code>, thus also changing the <code>Window</code> object of that
<span>browsing context</span>.</p>
</dd>

<dt>If <var>resource</var> is to be fetched using `<code data-x="">GET</code>`, and there are
Expand Down Expand Up @@ -82464,7 +82366,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
is a <span>fetch scheme</span></dt>
<dd><p>Run <span>process a navigate fetch</span> given <var>resource</var>, the <span>source
browsing context</span>, and <var>browsingContext</var>, and <var>navigationType</var>.</p></dd>
browsing context</span>, <var>browsingContext</var>, and <var>navigationType</var>.</p></dd>

<dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
<span data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
Expand Down Expand Up @@ -82970,6 +82872,105 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
<p class="example">For example, there could be a vulnerability in the target software's URL
handler which a hostile page would attempt to exploit by tricking a user into clicking a link.</p>

<p>To <dfn data-x="javascript protocol">execute a <code>javascript:</code> URL request</dfn>,
given a <span data-x="concept-request">request</span> <var>request</var>, and two <span
data-x="browsing context">browsing contexts</span> <var>source</var> and
<var>browsingContext</var>, run these steps:</p>

<ol id="concept-js-deref">
<li><p>Let <var>response</var> be a <span data-x="concept-response">response</span> whose <span
data-x="concept-response-status">status</span> is <code data-x="">204</code>.</p></li>

<li>
<p>If both of the following are true:</p>

<ul>
<li>
<p><var>source</var>'s <span>active document</span>'s <span>origin</span> is <span>same
origin</span> with <var>browsingContext</var>'s <span>active document</span>'s
<span>origin</span>.</p>

<p class="&#x0058;&#x0058;&#x0058;">As explained in <a
href="https://github.com/whatwg/html/issues/2591">issue #2591</a> this step does not work
and presents a security issue.</p>
</li>

<li><p>The <span>Should navigation request of type from source in target be blocked by Content
Security Policy?</span> algorithm returns "<code data-x="">Allowed</code>" when executed upon
<var>request</var>, "<code data-x="">other</code>", <var>source</var>, and
<var>browsingContext</var>. <ref spec="CSP"></p></li>
</ul>

<p>then:</p>

<ol>
<li><p>Let <var>urlString</var> be the result of running the <span
data-x="concept-url-serializer">URL serializer</span> on <var>request</var>'s <span
data-x="concept-request-url">url</span>.</p></li>

<li><p>Let <var>encodedScriptSource</var> be the result of removing the leading "<code
data-x="">javascript:</code>" from <var>urlString</var>.</p></li>

<li><p>Let <var>scriptSource</var> be the <span data-x="UTF-8 decode">UTF-8 decoding</span>
of the <span data-x="string percent decode">string percent decoding</span> of
<var>encodedScriptSource</var>.</p></li>

<!--
<body onload="&#xFFFE;w('test')"> and javascript:%EF%BB%BF'test' both work, so we assume
that JavaScript is stripping the BOM, and we don't have to
-->

<!--
https://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2639 -> about:blank
https://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2640 -> javascript:'test' in Firefox, about:blank otherwise
-->

<li><p><span data-x="list append">Append</span> the <var>browsingContext</var>'s <span>active
document</span>'s <span data-x="concept-document-url">URL</span> <span
data-x="concept-request-url-list">URL list</span>.</p></li>

<li><p>Let <var>settings</var> be <var>browsingContext</var>'s <span>active document</span>'s
<span>relevant settings object</span>.</p></li>

<li><p>Let <var>baseURL</var> be <var>settings</var>'s <span>API base URL</span>.</p></li>

<li><p>Let <var>script</var> be the result of <span>creating a classic script</span> given
<var>scriptSource</var>, <var>settings</var>, <var>baseURL</var>, and the <span>default
classic script fetch options</span>.</p></li>

<li><p>Let <var>evaluationStatus</var> be the result of <span data-x="run a classic
script">running the classic script</span> <var>script</var>.</p></li>

<li><p>Let <var>result</var> be undefined if <var>evaluationStatus</var> is an <span>abrupt
completion</span> or <var>evaluationStatus</var>.[[Value]] is empty, or
<var>evaluationStatus</var>.[[Value]] otherwise.</p></li>

<li>
<p>If <span data-x="js-Type">Type</span>(<var>result</var>) is String, then set
<var>response</var> to a <span data-x="concept-response">response</span> whose <span
data-x="concept-response-header-list">header list</span> consists of
`<code>Content-Type</code>`/`<code>text/html</code>` and `<code
data-x="http-referrer-policy">Referrer-Policy</code>`/<var>settings</var>'s <span>referrer
policy</span>, whose <span data-x="concept-response-body">body</span> is <var>result</var>,
and whose <span data-x="concept-response-https-state">HTTPS state</span> is
<var>settings</var>'s <span>HTTPS state</span>.</p>

<p class="&#x0058;&#x0058;&#x0058;">The exact conversion between the JavaScript string
<var>result</var> and the bytes that comprise a <span data-x="concept-response-body">response
body</span> is not yet specified, pending further investigation into user agent behavior. See
<a href="https://github.com/whatwg/html/issues/1129">issue #1129</a>.</p>
</li>
</ol>
</li>

<li><p>Return <var>response</var>.</p></li>
</ol>

<p class="&#x0058;&#x0058;&#x0058;">In addition to the specific issues linked above, <code
data-x="javascript protocol">javascript:</code> URLs have a <a
href="https://github.com/whatwg/html/labels/topic%3A%20javascript%3A%20URLs">dedicated label</a>
on the issue tracker documenting various problems with their specification.</p>

<hr>

<p>Some of the sections below, to which the above algorithm defers in certain cases, require the
Expand Down Expand Up @@ -95087,7 +95088,7 @@ dictionary <dfn>EventSourceInit</dfn> {
<p>As data is received, the <span data-x="concept-task">tasks</span> queued by the <span>networking
task source</span> to handle the data must act as follows.</p>

<p>HTTP 200 OK responses with a `<span>Content-Type</span>` header specifying the type
<p>HTTP 200 OK responses with a `<code>Content-Type</code>` header specifying the type
`<code>text/event-stream</code>`, ignoring any <span>MIME type</span> parameters, must be
processed line by line <a href="#event-stream-interpretation">as described below</a>.</p>

Expand Down

0 comments on commit e13762f

Please sign in to comment.