| 01:16 | <Sacha Greif> | just a heads up that this year's State of JS survey is now open: https://survey.devographics.com/en-US/survey/state-of-js/2025 as usual any help spreading the word will be much appreciated! |
| 01:46 | <Domenic> | Cross-posting from WHATWG, because I suspect people here also have thoughts: Can anyone think of "entry points" for script execution in a Document (not worker) apart from <script> elements and inline event handlers? That is, if we cut off those two sources of script, is that enough to prevent any script from executing? Or is there some other way the browser might call into scripts? |
| 02:10 | <bakkot> | JavaScript urls |
| 02:26 | <Domenic> | Via user clicks, I guess... maybe even <meta name="refresh">, not sure. Nice one. |
| 02:28 | <bakkot> | Via lots of stuff, there's a huge number of url attributes and IIRC they all work |
| 02:31 | <Domenic> | How do you navigate to URLs without another entry point though |
| 02:31 | <Domenic> | (It's only navigation, subresources don't execute javascript: URLs.) |
| 02:46 | <bakkot> | Oh, for some reason I thought like <body background='javascript:'> worked, nice that it doesn't |
| 02:46 | <bakkot> | there's still <iframe src='javascript:console.log(1)'></iframe> which I know works |
| 02:47 | <Justin Ridgewell> | ^srcdoc? |
| 03:17 | <Domenic> | Ah yep, srcdoc works! |
| 03:35 | <Domenic> | meta refresh to javascript: is allowed per spec but thankfully browsers disallow it: https://github.com/whatwg/html/issues/11699 |
| 03:40 | <bakkot> | <form action="javascript:console.log(1)"> works but I think does require user action, same as <a href="javascript:"> |