Bug 12408
| Summary: | Documents loaded via "javascript:" URLs have empty URLs | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Alexey Proskuryakov <ap> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | abarth, ahmad.saleem792, annevk, calvinstock |
| Priority: | P2 | ||
| Version: | 420+ | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
Alexey Proskuryakov
<iframe frameborder=0 src="javascript:'<script>alert(document.URL)</script>'"></iframe>
This shows an alert with iframe's URL. In WebKit, it's empty (displayed as about:blank), while Firefox displays the actual "javascript:" URL.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
Yeah, we can fix this, but we have to it carefully. When you go down this path, you end up with javascript URLs in the back/forward list, etc, and you have to be careful only to run them once and not to introduce security problems.
When Firefox creates a document with a javascript URL, they actually represent the document's URL internally as a "wyciwyg" URL (what you cache is what you get). That why when you return to the document (say with back/forward) you know the result of evaling the JavaScript without having to do it again (and you remember the right security context).
Calvin
That's nothing! :P I have even seen "null" title's on my iPhone.
I never liked the generic "Javascript" or "index.html" title's in those popup boxes. That's the reason that I'm here... although it is not really a bug (more a design flaw)... I would love to see a way to customize the title's (and button names)
my idea is to expand:
alert("hello world")
to (note the [ and ] for optional parameters so that it stays standard compliant):
alert("hello world" [, "title" [, "name of the button" ]])
the prompt and confirm popup syntax is analogue:
prompt("text goes here" [, "title" [, <array of length 2 with the button names>]])
-> it should be possible here to only have one button if you pass an array of length 1 (longer arrays can be ignored) so that a log in box makes more sense (when you *have/want* to log in you don't cancel)
confirm("text" [, "title [, button-names]])
As a webapp developer (mostly iphone optimized webapps) I want to be able to deliver the best user experience and standard javascript boxes doesn't fit always but because they are well integrated (and nice lookin' on the iPhone) I want to keep using them.
And... a suggestion for a new popup would be a 'choice'-box. It's like a confirm-popup but with more that 2 buttons (you can integrate it with the confirm but then it wouldn't be standard compliant anymore... i think).
like:
choice("would you like to save you're progress?", "My webapp", [ "Cancel", "yes", no"], cancel)
you specify text, title, buttons and ofcourse a default for the buttons
is this possible? or is it something that will never be supported? I would love to see these little things in the next major update (safari 5 and iphoneOS 4.0)
Thank you... and please keep me posted... I would like your opinion on my ideas.
Adam Barth
> my idea is to expand:
>
> alert("hello world")
>
> to (note the [ and ] for optional parameters so that it stays standard
> compliant):
>
> alert("hello world" [, "title" [, "name of the button" ]])
It's unlikely we will expand these API unilaterally without consensus from other browser vendors. If you would like to build consensus among browser vendors for these features, I recommend you bring you ideas up to the HTML working group:
http://www.w3.org/html/wg/
Calvin
that was a quick reponse.
not the one i hoped for but one that i can understand... standards are good but they are slow to 'evolve'
thx for the link