HTML Standard Tracker


File a bug

SVNBugCommentTime (UTC)
2046Require that <script src=javascript:...></script> result in no script execution, for any value of '...', for compatibility with most UAs.2008-08-11 10:14
@@ -23707,20 +23707,28 @@ function AddCloud(data, x, y) { ... }</pre>
     executed"</span> flag.</p>
     <p>If the element has a <code title="attr-script-src">src</code>
     attribute, then the specified resource must be <span
+    <p>For historical reasons, if the <span>URL</span> is a <span
+    title="javascript protocol"><code title="">javascript:</code>
+    URL</span>, then the user agent must not, despite the requirements
+    in the definition of the <span title="fetch">fetching</span>
+    algorithm, actually execute the given script, and instead the user
+    agent must act as if it had received an empty HTTP 400
+    response.</p>
     <p>Once the fetching process has completed, and the script has
     <dfn>completed loading</dfn>, the user agent will have to complete
     <span title="when a script completes loading">the steps described
     below</span>. (If the parser is still active at that time, those
     steps defer to the parser to handle the execution of pending
     <p>For performance reasons, user agents may start fetching the
     script as soon as the attribute is set, instead, in the hope that
     the element will be inserted into the document. Either way, once